diff --git a/.gitignore b/.gitignore index 9841e0daea..8195f14f24 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ Tools/NuGet/ *.ini _themes*/ common/ +.vscode/ .openpublishing.build.mdproj .openpublishing.buildcore.ps1 packages.config diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1fc2ec8e56..5b224029ba 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,65 @@ { "redirections": [ + { + "source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/configure-mobile.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/lockdown-xml.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/mobile-lockdown-designer.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/provisioning-configure-mobile.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/provisioning-nfc.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/provisioning-package-splitter.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/settings-that-can-be-locked-down.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/mobile-devices/start-layout-xml-mobile.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/windows-11.md", + "redirect_url": "/windows/whats-new/windows-11-whats-new", + "redirect_document_id": false + }, { "source_path": "windows/configuration/use-json-customize-start-menu-windows.md", "redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11", @@ -6632,22 +6692,22 @@ }, { "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", - "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { "source_path": "windows/manage/lockdown-xml.md", - "redirect_url": "/windows/configuration/mobile-devices/lockdown-xml", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { "source_path": "windows/manage/settings-that-can-be-locked-down.md", - "redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { "source_path": "windows/manage/product-ids-in-windows-10-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -6677,7 +6737,7 @@ }, { "source_path": "windows/manage/start-layout-xml-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -6842,7 +6902,7 @@ }, { "source_path": "windows/deploy/provisioning-nfc.md", - "redirect_url": "/windows/configuration/provisioning-packages/provisioning-nfc", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7597,7 +7657,7 @@ }, { "source_path": "windows/configure/configure-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/configure-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7762,7 +7822,7 @@ }, { "source_path": "windows/configure/lockdown-xml.md", - "redirect_url": "/windows/configuration/mobile-devices/lockdown-xml", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7782,12 +7842,12 @@ }, { "source_path": "windows/configure/mobile-lockdown-designer.md", - "redirect_url": "/windows/configuration/mobile-devices/mobile-lockdown-designer", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { "source_path": "windows/configure/product-ids-in-windows-10-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7817,7 +7877,7 @@ }, { "source_path": "windows/configure/provisioning-configure-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/provisioning-configure-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7842,12 +7902,12 @@ }, { "source_path": "windows/configure/provisioning-nfc.md", - "redirect_url": "/windows/configuration/mobile-devices/provisioning-nfc", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { "source_path": "windows/configure/provisioning-package-splitter.md", - "redirect_url": "/windows/configuration/mobile-devices/provisioning-package-splitter", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7887,7 +7947,7 @@ }, { "source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", - "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7897,7 +7957,7 @@ }, { "source_path": "windows/configure/settings-that-can-be-locked-down.md", - "redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -7907,7 +7967,7 @@ }, { "source_path": "windows/configure/start-layout-xml-mobile.md", - "redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -18956,11 +19016,137 @@ "redirect_document_id": false }, { - "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "source_path": "windows/security/identity-protection/change-history-for-access-protection.md", + "redirect_url": "/windows/security/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md", + "redirect_url": "/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-11-deployment-information", "redirect_document_id": false }, - + { + "source_path": "windows/deploy-windows-cm/upgrade-to-windows-with-configuraton-manager.md", + "redirect_url": "/windows/deploy-windows-cm/upgrade-to-windows-with-configuration-manager", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/wufb-autoupdate.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/wufb-basics.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/wufb-managedrivers.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/wufb-manageupdate.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/wwufb-onboard.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/feature-update-conclusion.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-wufb-intune.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/feature-update-maintenance-window.md", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/feature-update-mission-critical.md", + "redirect_url": "/windows/deployment/waas-manage-updates-wufb", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-security-baselines.md", + "redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", + "redirect_url": "/windows/deployment/deploy-whats-new", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md", + "redirect_url": "/windows/client-management/mdm/policy-csp-admx-wordwheel", + "redirect_document_id": true + + }, + { + "source_path": "windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md", + "redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings", + "redirect_document_id": true + + }, + { + "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md", + "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools", + "redirect_document_id": true + } - ] + ] } diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index f66a07d2e4..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "cSpell.words": [ - "emie" - ] -} \ No newline at end of file diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 30c4423927..557504605e 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -16,9 +16,10 @@ ms.topic: article # Add or hide features on the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features. diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 2b8eb78f4d..ba98c209b2 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) +title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or remove an administrator by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server. diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index d09522b1ba..a91752fa7d 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) +title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or upgrade packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index fd18bc7d76..92659b1ce8 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,5 +1,5 @@ --- -title: Administering App-V by using Windows PowerShell (Windows 10) +title: Administering App-V by using Windows PowerShell (Windows 10/11) description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports Windows PowerShell cmdlets that give administrators a quick and easy way to manage App-V. The following sections will tell you more about how to use Windows PowerShell with App-V. diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index 9b26750d0e..32b6f0bef7 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: Administering App-V Virtual Applications by using the Management Console (Windows 10) +title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11) description: Administering App-V Virtual Applications by using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V Virtual Applications by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers running the App-V client. One or more management servers typically share a common data store for configuration and package information. diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index af9ea8e786..728de7998a 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Only Allow Admins to Enable Connection Groups (Windows 10) +title: Only Allow Admins to Enable Connection Groups (Windows 10/11) description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to allow only administrators to enable connection groups ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can configure the App-V client so that only administrators, not users, can enable or disable connection groups. In earlier versions of App-V, there was no way to restrict access to disabling connection groups to users. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 130ad633ee..0c949d9dd5 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,5 +1,5 @@ --- -title: Application Publishing and Client Interaction (Windows 10) +title: Application Publishing and Client Interaction (Windows 10/11) description: Learn technical information about common App-V Client operations and their integration with the local operating system. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Application publishing and client interaction ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This article provides technical information about common App-V Client operations and their integration with the local operating system. diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index bf6f0effd2..a8a744e7e2 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: Apply deployment config file via Windows PowerShell (Windows 10) -description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. +title: Apply deployment config file via Windows PowerShell (Windows 10/11) +description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the deployment configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index 851e74f1e6..1650a46de5 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: How to apply the user configuration file by using Windows PowerShell (Windows 10) -description: How to apply the user configuration file by using Windows PowerShell (Windows 10). +title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11) +description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the user configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run. diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index fe2fe8690a..7875e506a1 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -1,5 +1,5 @@ --- -title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. -In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: +Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: - Using the **New-BatchAppVSequencerPackages** cmdlet - Using the App-V Sequencer interface diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 24651988b3..3ce6b6faac 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -1,5 +1,5 @@ --- -title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Updating multiple apps at the same time follows a similar process to the one used for [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However, when updating, you'll also have to pass your previously created app package files to the App-V Sequencer cmdlet. -Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!NOTE] >If you're trying to sequence multiple apps at the same time, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index acf7bb3cdf..38ab629d22 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,5 +1,5 @@ --- -title: Auto-remove unpublished packages on App-V client (Windows 10) +title: Auto-remove unpublished packages on App-V client (Windows 10/11) description: How to automatically clean up any unpublished packages on your App-V client devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Automatically clean up unpublished packages on the App-V client ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. +If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Starting with Windows 10 version 1703, use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. ## Clean up with PowerShell cmdlets diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 1acb2935e3..f9e98f0849 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -1,5 +1,5 @@ --- -title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. +Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Starting with Windows 10 version 1703, the `New-AppVSequencerVM` and `Connect-AppvSequencerVM` Windows PowerShell cmdlets are available, which automatically create your sequencing environment for you, including provisioning your virtual machine. ## Automatic VM provisioning of the sequencing environment @@ -54,7 +54,7 @@ For this process to work, you must have a base operating system available as a V After you have a VHD file, you must provision your VM for auto-sequencing. -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server). 3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: @@ -93,7 +93,7 @@ If your apps require custom prerequisites, such as Microsoft SQL Server, we reco #### Provision an existing VM -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 2b73883501..107fab760e 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,5 +1,5 @@ --- -title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) +title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11) description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,22 +14,22 @@ ms.topic: article --- # Available Mobile Device Management (MDM) settings for App-V -With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. +Starting with Windows 10 version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. |Policy name|Supported versions|URI full path|Data type|Values| |---|---|---|---|---| -|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| -|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| -|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| -|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| -|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| -|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| -|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| -|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| -|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| -|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| -|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| -|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| -|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| -|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| -|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file +|Name|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| +|Version|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| +|Publisher|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| +|InstallLocation|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| +|InstallDate|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| +|Users|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| +|AppVPackageID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| +|AppVVersionID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| +|AppVPackageUri|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| +|LastError|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| +|LastErrorDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| +|SyncStatusDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| +|SyncProgress|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| +|PublishXML|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| +|Policy|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 76f23f4537..75a7a8d6ec 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -1,5 +1,5 @@ --- -title: App-V Capacity Planning (Windows 10) +title: App-V Capacity Planning (Windows 10/11) description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index b0821ae348..f66d17b837 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -1,5 +1,5 @@ --- -title: About Client Configuration Settings (Windows 10) +title: About Client Configuration Settings (Windows 10/11) description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About Client Configuration Settings ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). @@ -29,7 +29,7 @@ The following table provides information about App-V client configuration settin |------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageInstallationRoot**
String | Specifies directory where all new applications and updates will be installed. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageSourceRoot**
String | Overrides source location for downloading package content. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows 10 machines connected by a metered network connection (for example, 4G). | 0 | +| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows client machines connected by a metered network connection (for example, 4G). | 0 | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentRetries**
Integer (0–99) | Specifies the number of times to retry a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentInterval**
Integer (0–3600) | Specifies the number of seconds between attempts to reestablish a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-LocationProvider**
String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Policy value not written (same as Not Configured) | diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 82dca3e617..92657e83fa 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to configure access to packages by using the Management Console (Windows 10) +title: How to configure access to packages by using the Management Console (Windows 10/11) description: How to configure access to packages by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure access to packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group. diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 12b44773a7..c2d3446d5e 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,5 +1,5 @@ --- -title: How to make a connection group ignore the package version (Windows 10) +title: How to make a connection group ignore the package version (Windows 10/11) description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to make a connection group ignore the package version -> Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create. diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 9dadc20365..b4b2fc014d 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -1,5 +1,5 @@ --- -title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10) +title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11) description: How to configure the client to receive package and connection groups updates from the publishing server. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure the client to receive package and connection groups updates from the publishing server ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date. diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index b2414c2635..48b893e5af 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to connect to the Management Console (Windows 10) +title: How to connect to the Management Console (Windows 10/11) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to connect to the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to connect to the App-V Management Console. diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 70072685d4..b73008a5ac 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -1,5 +1,5 @@ --- -title: About the connection group file (Windows 10) +title: About the connection group file (Windows 10/11) description: A summary of what the connection group file is and how to configure it. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group file ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Connection group file overview diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index a1a9c16649..dcd72b455c 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: About the connection group virtual environment (Windows 10) +title: About the connection group virtual environment (Windows 10/11) description: Learn how the connection group virtual environment works and how package priority is determined. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group virtual environment ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## How package priority is determined diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 44e0487b4e..1088fd28a2 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,5 +1,5 @@ --- -title: How to convert a package created in a previous version of App-V (Windows 10) +title: How to convert a package created in a previous version of App-V (Windows 10/11) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to convert a package created in a previous version of App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade. @@ -28,9 +28,9 @@ The package converter can only directly convert packages created by an App-V seq ## App-V 4.6 installation folder is redirected to virtual file system root -When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) +When you convert packages from App-V 4.6 to App-V for Windows 10/11, the App-V for Windows client package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) -The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. +The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. ## Getting started @@ -50,9 +50,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages ``` - In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. - Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. > [!NOTE] > Before you specify the output directory, you must create the output directory. diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 1b3212816f..70409e9d70 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,5 +1,5 @@ --- -title: How to create a connection croup with user-published and globally published packages (Windows 10) +title: How to create a connection croup with user-published and globally published packages (Windows 10/11) description: How to create a connection croup with user-published and globally published packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection croup with user-published and globally published packages ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods: diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 38fb3646e7..35002a1b2b 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to create a connection group (Windows 10) +title: How to create a connection group (Windows 10/11) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 34f45644e9..877f356159 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to create a custom configuration file by using the App-V Management Console (Windows 10) +title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11) description: How to create a custom configuration file by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a custom configuration file by using the App-V Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see [About App-V dynamic configuration](appv-dynamic-configuration.md). diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 3e6fe295f1..79b713f591 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator by using Windows PowerShell (Windows 10) +title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a package accelerator by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 19d0617e41..c9eff04f48 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator (Windows 10) +title: How to create a package accelerator (Windows 10/11) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a package accelerator ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically generate new virtual application packages. diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index f091625f1a..7a9d9a8b7f 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) +title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11) description: How to create a virtual application package using an App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a virtual application package with the App-V Package Accelerator. diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 4927af50b8..908c5fc16f 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,5 +1,5 @@ --- -title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) +title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,12 +14,12 @@ ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). >[!IMPORTANT] ->In Windows 10, version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. +>Starting with Windows 10 version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. ## Create a project template diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 0d5400a65a..6a372fbbdf 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,5 +1,5 @@ --- -title: Creating and managing App-V virtualized applications (Windows 10) +title: Creating and managing App-V virtualized applications (Windows 10/11) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Creating and managing App-V virtualized applications ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. @@ -119,7 +119,7 @@ A template can specify and store multiple settings as follows: - **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**. - **Exclusion Items.** Contains the Exclusion pattern list. -In Windows 10, version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!IMPORTANT] >If you attempt to load another template through the *_TemplateFilePath_* parameter while already having an auto-saved template, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index b6ed9b54af..4de66c5d97 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) +title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11) description: How to customize virtual application extensions for a specific AD group by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to customize virtual applications extensions for a specific AD group by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group. diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index a252b5a53d..a1a8185b9a 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to delete a connection group (Windows 10) +title: How to delete a connection group (Windows 10/11) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an existing App-V connection group. diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 989346048b..775893310a 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to delete a package in the Management Console (Windows 10) +title: How to delete a package in the Management Console (Windows 10/11) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a package in the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an App-V package. diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 8fd2c674f6..5cdd91138e 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) +title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 0d670783b7..a8477d90ae 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to deploy App-V packages using electronic software distribution (Windows 10) +title: How to deploy App-V packages using electronic software distribution (Windows 10/11) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to deploy App-V packages using electronic software distribution ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 467272455a..ead9d82133 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Server Using a Script (Windows 10) +title: How to Deploy the App-V Server Using a Script (Windows 10/11) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index e8fa0ac8b9..a29b019396 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: How to Deploy the App-V Server (Windows 10) -description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. +title: How to Deploy the App-V Server (Windows 10/11) +description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -32,7 +32,7 @@ ms.topic: article 1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. - * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). + * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). 2. Copy the App-V server installation files to the computer on which you want to install it. diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 04cd90525d..148567438b 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying App-V (Windows 10) +title: Deploying App-V (Windows 10/11) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,9 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Deploying App-V for Windows 10 +# Deploying App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 7a38ac29e7..5ec4cf5cad 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods: @@ -37,7 +37,7 @@ Sequencing Office 2010 is one of the main methods for creating an Office 2010 pa ## Creating Office 2010 App-V packages using package accelerators -Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: +Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10/11, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 8](https://gallery.technet.microsoft.com/App-V-50-Package-a29410db) * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 7](https://gallery.technet.microsoft.com/App-V-50-Package-e7ef536b) diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 778f467100..e895318669 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. @@ -73,7 +73,7 @@ Before you start, make sure that the computer on which you are installing the Of You create Office 2013 App-V packages with the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing. -Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -148,7 +148,7 @@ After you download the Office 2013 applications through the Office Deployment To #### What you'll need to do -* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10 computers. +* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10/11 computers. * Create an Office App-V package for either the Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 654fa05a45..cbe270cf7d 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2016 by using App-V (Windows 10) +title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). @@ -64,7 +64,7 @@ The computer on which you are installing the Office Deployment Tool must have th | Prerequisite | Description | |----------------------|--------------------| | Prerequisite software | .Net Framework 4 | -| Supported operating systems | 64-bit version of Windows 10
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | +| Supported operating systems | 64-bit version of Windows 10/11
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | >[!NOTE] >In this topic, the term “Office 2016 App-V package” refers to subscription licensing. @@ -73,7 +73,7 @@ The computer on which you are installing the Office Deployment Tool must have th You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with subscription licensing. -Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -146,7 +146,7 @@ After you download the Office 2016 applications through the Office Deployment To #### What you’ll need to do -* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. +* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10/11 computers. * Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make. @@ -377,7 +377,7 @@ The following table describes the requirements and options for deploying Visio 2 ## Related topics -* [Deploying App-V for Windows 10](appv-deploying-appv.md) +* [Deploying App-V for Windows client](appv-deploying-appv.md) * [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) * [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) * [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 032233877b..9485202cc5 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying App-V packages by using electronic software distribution (ESD) ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 9547612b38..bfd34cfcaa 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,5 +1,5 @@ --- -title: Deploying the App-V Sequencer and configuring the client (Windows 10) +title: Deploying the App-V Sequencer and configuring the client (Windows 10/11) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying the App-V Sequencer and configuring the client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V Sequencer and client let administrators to virtualize and run virtual applications. @@ -23,7 +23,7 @@ The App-V Sequencer and client let administrators to virtualize and run virtual The App-V client is the component that runs a virtualized application on a target computer. The client lets users interact with icons and file types, starting virtualized applications. The client can also get the virtual application content from the management server. >[!NOTE] ->In Windows 10, version 1607, App-V is included with the operating system. You only need to enable it. +>Starting with Windows 10 version 1607, App-V is included with the operating system. You only need to enable it. [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 71d9510a36..5677a2f846 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: Deploying the App-V Server (Windows 10) -description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. +title: Deploying the App-V Server (Windows 10/11) +description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -19,9 +19,9 @@ ms.topic: article You can install the Application Virtualization (App-V) server components using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V security considerations](appv-security-considerations.md). >[!NOTE] ->If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows 10. +>If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows client. -To learn more about deploying App-V for Windows 10, read [What's new in App-V](appv-about-appv.md). +To learn more about deploying App-V for Windows client, read [What's new in App-V](appv-about-appv.md). >[!IMPORTANT] >Before installing and configuring the App-V servers, you must specify the port or ports where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports, as the installer does not modify firewall settings. @@ -49,7 +49,7 @@ App-V offers the following five server components, each of which serves a specif All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. -* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). +* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). In large organizations, you might want to install more than one instance of the server components to get the following benefits. diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 4183212c31..aa72671760 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,5 +1,5 @@ --- -title: App-V Deployment Checklist (Windows 10) +title: App-V Deployment Checklist (Windows 10/11) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V Deployment Checklist ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 8d5b3cafad..26a4d6b23c 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,5 +1,5 @@ --- -title: About App-V Dynamic Configuration (Windows 10) +title: About App-V Dynamic Configuration (Windows 10/11) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V dynamic configuration ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. @@ -562,7 +562,7 @@ The following table describes the various script events and the context under wh ### Using multiple scripts on a single event trigger -App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. +App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows client. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. #### How to use multiple scripts on a single event trigger diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 93ddd8f4d6..bd42de3c84 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) +title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10/11) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to enable only administrators to publish packages by using an ESD ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 8b6dd8e9fc..3983d8787c 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) +title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,8 +14,7 @@ ms.topic: article --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V for reporting. diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 7aa623a0a3..a0fd066d26 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,6 +1,6 @@ --- -title: Enable the App-V in-box client (Windows 10) -description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. +title: Enable the App-V in-box client (Windows 10/11) +description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,11 +14,11 @@ ms.topic: article --- # Enable the App-V in-box client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V client is the component that runs virtualized applications on user devices. Once you enable the client, users can interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server. -With Windows 10, version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. +Starting with Windows 10 version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. Here's how to enable the App-V client with Group Policy: diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 731ea42546..e15b0a5209 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- -title: Evaluating App-V (Windows 10) -description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. +title: Evaluating App-V (Windows 10/11) +description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,8 +15,7 @@ ms.author: greglin # Evaluating App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 51b2a21a10..32c7f7e7ef 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,5 +1,5 @@ --- -title: Application Virtualization (App-V) (Windows 10) +title: Application Virtualization (App-V) (Windows 10/11) description: See various topics that can help you administer Application Virtualization (App-V) and its components. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,9 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Application Virtualization (App-V) for Windows 10 overview +# Application Virtualization (App-V) for Windows client overview ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index fd20851076..0e3c91919c 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,6 +1,6 @@ --- -title: Getting Started with App-V (Windows 10) -description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. +title: Getting Started with App-V (Windows 10/11) +description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,35 +12,35 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Getting started with App-V for Windows 10 +# Getting started with App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] -Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. +Microsoft Application Virtualization (App-V) for Windows delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. -With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). +Starting with Windows 10 version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows client and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). -If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). +If you’re already using App-V, performing an in-place upgrade to Windows 10/11 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10/11, see [Upgrading to App-V for Windows from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). >[!IMPORTANT] >You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows. To learn more about previous versions of App-V, see [MDOP information experience](/microsoft-desktop-optimization-pack/index). -## Getting started with App-V for Windows 10 (new installations) +## Getting started with App-V for Windows (new installations) -To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows 10 components, what they do, and where to find them. +To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows client components, what they do, and where to find them. | Component | What it does | Where to find it | |------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| -| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | -| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | +| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| +| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | +| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md). diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 7c11b77a24..62ec6658b4 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,5 +1,5 @@ --- -title: High-level architecture for App-V (Windows 10) +title: High-level architecture for App-V (Windows 10/11) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # High-level architecture for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment. diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index b0daa8e5c6..446fb2362d 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) +title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index b48c88fe55..2f8a941579 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,5 +1,5 @@ --- -title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) +title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 9a7bb5df47..c7c54d8a32 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) +title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11) description: How to install the Management Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 3ac42e959a..261eb206aa 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,5 +1,5 @@ --- -title: Install the Publishing Server on a Remote Computer (Windows 10) +title: Install the Publishing Server on a Remote Computer (Windows 10/11) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index 41fb1e6ffa..f2848972d7 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) +title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 9bde5d0531..410d7b4f25 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,5 +1,5 @@ --- -title: Install the App-V Sequencer (Windows 10) +title: Install the App-V Sequencer (Windows 10/11) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Install the App-V Sequencer ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications. -The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit (Windows ADK). +The App-V Sequencer is included in the Windows client Assessment and Deployment Kit (Windows ADK). >[!NOTE] >The computer that will run the sequencer must not have the App-V client enabled. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource-intensive, so make sure the computer that will run the Sequencer has plenty of memory, a fast processor, and a fast hard drive. diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 3f38081e58..081235fe4b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,5 +1,5 @@ --- -title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) +title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Requirements for using Windows PowerShell cmdlets @@ -82,7 +82,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats: |App-V Sequencer|**Update-Help -Module AppvSequencer**| |App-V Client|**Update-Help -Module AppvClient**| -* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started?view=win-mdop2-ps). +* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started). ## Displaying the help for a Windows PowerShell cmdlet diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 6375ae29ad..b67604f857 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,6 +1,6 @@ --- -title: Maintaining App-V (Windows 10) -description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +title: Maintaining App-V (Windows 10/11) +description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,9 +14,9 @@ ms.topic: article --- # Maintaining App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +After you have deployed App-V for Windows client, you can use the following information to maintain the App-V infrastructure. ## Moving the App-V server diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index 278b757481..102c1d61e6 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) +title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10/11) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 5333448a99..88a684ce46 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) +title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group. diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 1a1fed1187..bfbd7fe594 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Managing Connection Groups (Windows 10) +title: Managing Connection Groups (Windows 10/11) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Managing Connection Groups -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer. diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index da8bf8b6cc..894d080a23 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,6 +1,6 @@ --- -title: Migrating to App-V from a Previous Version (Windows 10) -description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. +title: Migrating to App-V from a Previous Version (Windows 10/11) +description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,10 +15,9 @@ ms.author: greglin # Migrating to App-V from previous versions -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -To migrate from App-V 4.x to App-V for Windows 10, you must upgrade to App-V 5.x first. +To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first. ## Improvements to the App-V Package Converter @@ -34,7 +33,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom -New in App-V for Windows 10 +New in App-V for Windows client Prior to App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 0cc6df1e55..69acd8e60e 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,5 +1,5 @@ --- -title: How to Modify an Existing Virtual Application Package (Windows 10) +title: How to Modify an Existing Virtual Application Package (Windows 10/11) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Modify an Existing Virtual Application Package -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic explains how to: diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index ad99c8c0b2..552c9efd53 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) +title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Modify Client Configuration by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V client configuration. diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index ea80b1f3c8..e3bd963ee4 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,5 +1,5 @@ --- -title: How to Move the App-V Server to Another Computer (Windows 10) +title: How to Move the App-V Server to Another Computer (Windows 10/11) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 91ddd5b656..08dba24e7a 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,5 +1,5 @@ --- -title: Operations for App-V (Windows 10) +title: Operations for App-V (Windows 10/11) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Operations for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks. diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index dba895b3b1..392ba61769 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,5 +1,5 @@ --- -title: Performance Guidance for Application Virtualization (Windows 10) +title: Performance Guidance for Application Virtualization (Windows 10/11) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,11 +15,13 @@ ms.author: greglin # Performance Guidance for Application Virtualization -**Applies to** -- Windows 7 SP1 -- Windows 10 -- Server 2012 R2 -- Server 2016 +**Applies to**: + +- Windows 7 SP1 +- Windows 10 +- Windows 11 +- Server 2012 R2 +- Server 2016 Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. @@ -270,11 +272,11 @@ We recommend using User Experience Virtualization (UE-V) to capture and centrali For more information, see: -- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows) +- [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows) - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started) -In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows). +In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows). **Note**   Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 50887ca724..90f3c89418 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,5 +1,5 @@ --- -title: App-V Planning Checklist (Windows 10) +title: App-V Planning Checklist (Windows 10/11) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V Planning Checklist ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist can be used to help you plan for preparing your organization for an App-V deployment. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 18032d260a..40386c2097 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Use Folder Redirection with App-V (Windows 10) +title: Planning to Use Folder Redirection with App-V (Windows 10/11) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning to Use Folder Redirection with App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports the use of folder redirection, a feature that enables users and administrators to redirect the path of a folder to a new location. diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index f17f8cf5e9..b5f01d47c7 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Server Deployment (Windows 10) +title: Planning for the App-V Server Deployment (Windows 10/11) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 9f7685040d..0f7c0bbb39 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,5 +1,5 @@ --- -title: Planning for App-V (Windows 10) +title: Planning for App-V (Windows 10/11) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 4cdce6102f..f3e4e0b58f 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for high availability with App-V Server ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level. diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index f6e0a38b9e..f1c589ae07 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Sequencer and Client Deployment (Windows 10) +title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you can use App-V, you must install the App-V Sequencer and enable the App-V client. You can also the App-V shared content store, although it isn't required. The following sections will tell you how to set these up. @@ -38,7 +38,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac ## Planning for App-V client deployment -In Windows 10, version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). ## Planning for the App-V Shared Content Store (SCS) diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 9db1afb81a..c5885a941b 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,5 +1,5 @@ --- -title: Planning for Deploying App-V with Office (Windows 10) +title: Planning for Deploying App-V with Office (Windows 10/11) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for deploying App-V with Office ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to plan how to deploy Office within Microsoft Application Virtualization (App-V). @@ -92,7 +92,7 @@ To bypass the auto-registration operation for native Word 2010, follow these ste * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key. - * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key. + * In Windows client, enter **regedit**, select **Enter** on the Start page, then select the Enter key. If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**. 3. Locate and then select the following registry subkey: diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index a5ab9870cf..12d3de4f82 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) +title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11) description: Planning to Deploy App-V with an Electronic Software Distribution System author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 0b26e63e8a..3bb30afe33 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V (Windows 10) +title: Planning to Deploy App-V (Windows 10/11) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,11 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Planning to Deploy App-V for Windows 10 +# Planning to Deploy App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -There are several different deployment configurations and requirements to consider before you deploy App-V for Windows 10. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. +There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. ## App-V supported configurations diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 9753d170ef..979f7a1094 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,5 +1,5 @@ --- -title: Preparing Your Environment for App-V (Windows 10) +title: Preparing Your Environment for App-V (Windows 10/11) description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # Preparing your environment for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] There are several different deployment configurations and prerequisites that you must consider before creating your deployment plan for Microsoft App-V. The following articles will help you gather the information you need to set up a deployment plan that best suits your business’ needs. diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index 2cdfd2d90c..0e3e61bac8 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -1,5 +1,5 @@ --- -title: App-V Prerequisites (Windows 10) +title: App-V Prerequisites (Windows 10/11) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,12 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# App-V for Windows 10 prerequisites ->Applies to: Windows 10, version 1607 +# App-V for Windows client prerequisites -Before installing App-V for Windows 10, ensure that you have installed all of the following required prerequisite software. +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] + +Before installing App-V for Windows client, ensure that you have installed all of the following required prerequisite software. For a list of supported operating systems and hardware requirements for the App-V server, sequencer, and client, see [App-V Supported Configurations](appv-supported-configurations.md). @@ -26,7 +27,7 @@ The following table indicates the software that is already installed for differe |Operating system|Prerequisite description| |---|---| -|Windows 10|All prerequisite software is already installed.| +|Windows 10/11|All prerequisite software is already installed.| |Windows 8.1|All prerequisite software is already installed.
If you're running Windows 8, upgrade to Windows 8.1 before using App-V.| |Windows Server 2016|The following prerequisite software is already installed:
- Microsoft .NET Framework 4.5
- Windows PowerShell 3.0

Installing Windows PowerShell requires a restart.| |Windows 7|No prerequisite software is installed. You must install the software before you can install App-V.| diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 27eb277fc2..4297883e3a 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to Publish a Connection Group (Windows 10) +title: How to Publish a Connection Group (Windows 10/11) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to Publish a Connection Group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you create a connection group, you must publish it to computers that run the App-V client. diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index c438b69062..f50ef817a3 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to publish a package by using the Management console (Windows 10) +title: How to publish a package by using the Management console (Windows 10/11) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to publish a package by using the Management console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package. diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 7023d46bce..509d82740c 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10) +title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11) description: How to Register and Unregister a Publishing Server by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Register and Unregister a Publishing Server by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can register and unregister publishing servers that will synchronize with the App-V management server. You can also see the last attempt that the publishing server made to synchronize the information with the management server. diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 993c86f316..8765ba9fa6 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -1,6 +1,6 @@ --- -title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) -description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. +title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11) +description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -13,12 +13,11 @@ ms.author: greglin --- -# Release Notes for App-V for Windows 10, version 1703 +# Release Notes for App-V for Windows 10 version 1703 and later -**Applies to** -- Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703. +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later @@ -106,7 +105,7 @@ The following are known issues and workarounds for Application Virtualization (A ## Related resources list -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) - [The Official Microsoft App-V Team Blog](/archive/blogs/appv/) @@ -119,6 +118,6 @@ For information that can help with troubleshooting App-V for Windows 10, see:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics -- [What's new in App-V for Windows 10](appv-about-appv.md) +- [What's new in App-V for Windows client](appv-about-appv.md) - [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index a777b5a01e..31fd82260d 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -1,5 +1,5 @@ --- -title: About App-V Reporting (Windows 10) +title: About App-V Reporting (Windows 10/11) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V reporting ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Application Virtualization (App-V) includes a built-in reporting feature that collects information about computers running the App-V client and virtual application package usage. You can generate reports from a centralized database with this information. diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index d552115faf..b22a3ebbce 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10) +title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -18,6 +18,7 @@ ms.author: greglin **Applies to** - Windows 7 SP1 - Windows 10 +- Windows 11 - Windows Server 2012 R2 - Windows Server 2016 diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 02603d57b2..36f3d39141 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -1,5 +1,5 @@ --- -title: App-V Security Considerations (Windows 10) +title: App-V Security Considerations (Windows 10/11) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V security considerations ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 0c47bf69b6..c456583c56 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,5 +1,5 @@ --- -title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1607 and later +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +Starting with Windows 10 version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). ## Before you start sequencing diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 6a5a084f6a..60d9e3bf9e 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to sequence a package by using Windows PowerShell (Windows 10) +title: How to sequence a package by using Windows PowerShell (Windows 10/11) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Sequence a Package by using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a new App-V package using Windows PowerShell. @@ -63,7 +62,7 @@ The following list displays additional optional parameters that can be used with - FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. -In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. > [!IMPORTANT] > If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index f2d40d15b1..4fe89ecc0c 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -1,6 +1,6 @@ --- -title: App-V Supported Configurations (Windows 10) -description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment. +title: App-V Supported Configurations (Windows 10/11) +description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,9 +14,17 @@ ms.topic: article --- # App-V Supported Configurations ->Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) +**Applies to**: -This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). +- Windows 10 +- Windows 11 +- Window Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 (Extended Security Update) + +This topic specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). ## App-V Server system requirements @@ -98,7 +106,7 @@ The following table lists the SQL Server versions that are supported for the App ## App-V client and Remote Desktop Services client requirements -With Windows 10, version 1607 and later releases, the App-V client is included with Windows 10 Enterprise and Windows 10 Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with Windows Enterprise and Windows Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). Similarly, the App-V Remote Desktop Services (RDS) client is included with Windows Server 2016 Standard and Windows Server 2016 Datacenter. diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index ec6e36ed71..378c6cf052 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -1,5 +1,5 @@ --- -title: Technical Reference for App-V (Windows 10) +title: Technical Reference for App-V (Windows 10/11) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Technical Reference for App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section provides reference information related to managing App-V. diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 28caecc4fa..52fd89cf85 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10) +title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to transfer the access and default package configurations to another version of a package by using the management console. diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 2ee6c51728..0ca75469ad 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -1,5 +1,5 @@ --- -title: Troubleshooting App-V (Windows 10) +title: Troubleshooting App-V (Windows 10/11) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,10 +15,9 @@ ms.author: greglin # Troubleshooting App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) @@ -33,9 +32,9 @@ For information that can help with troubleshooting App-V for Windows 10, see: ## Other resources -- [Application Virtualization (App-V) for Windows 10 overview](appv-for-windows.md) +- [Application Virtualization (App-V) for Windows client overview](appv-for-windows.md) -- [Getting Started with App-V for Windows 10](appv-getting-started.md) +- [Getting Started with App-V for Windows client](appv-getting-started.md) - [Planning for App-V](appv-planning-for-appv.md) diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index fd2a4d1bf4..cb48f4c88a 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -1,6 +1,6 @@ --- -title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10) -description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation. +title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) +description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,14 +12,13 @@ manager: dansimp ms.author: greglin --- -# Upgrading to App-V for Windows 10 from an existing installation +# Upgrading to App-V for Windows client from an existing installation -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you’re already using App-V and you’re planning to upgrade user devices to Windows 10, you need to make only the following few adjustments to your existing environment to start using App-V for Windows 10. +If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. -1. [Upgrade user devices to Windows 10](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. +1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. 2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). @@ -31,13 +30,13 @@ If you’re already using App-V and you’re planning to upgrade user devices to These steps are explained in more detail below. -## Upgrade user devices to Windows 10 +## Upgrade user devices to Windows 10/11 -Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](/windows/windows-10/) for information about upgrading user devices to Windows 10. +Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices. ## Verify that App-V applications and settings were migrated correctly -After upgrading a user device to Windows 10, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. +After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell. @@ -45,7 +44,7 @@ To verify that the user’s App-V settings were migrated correctly, type `Get-Ap ## Enable the in-box App-V client -With Windows 10, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. +With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. **To enable the App-V client with Group Policy** diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 1f463763a0..4d7ae4ff1a 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -1,5 +1,5 @@ --- -title: Using the App-V Client Management Console (Windows 10) +title: Using the App-V Client Management Console (Windows 10/11) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Using the App-V Client Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 96494e493b..3e7c56d05e 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10) +title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to view and configure default package extensions. diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 8cb9a3b085..eebe3e0c35 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -1,5 +1,5 @@ --- -title: Viewing App-V Server Publishing Metadata (Windows 10) +title: Viewing App-V Server Publishing Metadata (Windows 10/11) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -42,7 +42,7 @@ You can view the metadata for each request in an Internet browser by using a que ## Query syntax for viewing publishing metadata -This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows 10. +This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows client. **Query syntax** @@ -58,7 +58,7 @@ In this example: - A computer running Windows Server 2016 named “pubsvr01” hosts the Publishing service. -- The Windows client is Windows 10, 64-bit. +- The Windows client is 64-bit. **Query parameter descriptions** @@ -68,7 +68,7 @@ The following table describes the parameters shown in the preceding **Query synt |------------|---------------| | `` | Name of the App-V Publishing server. | | `` | Port to the App-V Publishing server, which you defined when you configured the Publishing server. | -| `ClientVersion=` | Windows 10 build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | +| `ClientVersion=` | Windows client build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | | `ClientOS=` | Operating system of the computer that is running the App-V client. Refer to the table that follows for the correct value.
You can omit this parameter, with the result that only the packages that were sequenced to support all operating systems will appear in the metadata. | To get the name of the Publishing server and the port number (`http://:`) from the App-V client, look at the URL configuration of the Get-AppvPublishingServer Windows PowerShell cmdlet. @@ -92,12 +92,12 @@ In your publishing metadata query, enter the string values that correspond to th - + - + diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index f30e8fa94f..2584b8cb49 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Learn about the different app types in Windows 10 | Microsoft Docs +title: Learn about the different app types in Windows 10/11 | Microsoft Docs ms.reviewer: manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. @@ -15,9 +15,10 @@ ms.topic: article # Overview of apps on Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 ## Before you begin @@ -70,13 +71,22 @@ There are different types of apps that can run on your Windows client devices. T Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices. +## Android™️ apps + +Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store. + +For more information, see: + +- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48) +- [Windows Subsystem for Android developer information](/windows/android/wsa) + ## Add or deploy apps to devices When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. - If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 0a72c19e87..9c4133cd25 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -17,7 +17,7 @@ To provide the best experience for consumers, Windows provides controls that giv By default, resource limits are imposed on applications. Foreground apps are given the most memory and execution time; background apps get less. Users are thus protected from poor foreground app performance and heavy battery drain. -Enterprise users want the same ability to enable or limit background activity. In Windows 10, version 1703 (also known as the Creators Update), enterprises can now configure settings via policy and provisioning that control background activity. +Enterprise users want the same ability to enable or limit background activity. Starting with Windows 10 version 1703, enterprises can now configure settings via policy and provisioning that control background activity. ## Background activity controls @@ -33,7 +33,7 @@ Here is the set of available controls for mobile devices:  ![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) -Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). +Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows clients. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). ## Enterprise background activity controls  @@ -62,4 +62,4 @@ The Universal Windows Platform ensures that consumers will have great battery li - [Run in the background indefinitely](/windows/uwp/launch-resume/run-in-the-background-indefinetly) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) -[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) \ No newline at end of file +[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md new file mode 100644 index 0000000000..33ade955c1 --- /dev/null +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -0,0 +1,15 @@ +--- +author: MandiOhlinger +ms.author: mandia +ms.date: 09/28/2021 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: w10 +ms.topic: include +--- + +**Applies to**: + +- Windows 10 +- Windows 11 diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 2305949341..ecfbf1a470 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -1,5 +1,5 @@ --- -title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: manager: dansimp @@ -15,37 +15,42 @@ ms.topic: article # Enable or block Windows Mixed Reality apps in enterprises -**Applies to** - -- Windows 10 +[!INCLUDE [Applies to Windows client versions](./includes/applies-to-windows-client-versions.md)] -[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. +[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update. Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal). ## Enable Windows Mixed Reality in WSUS -1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) +1. [Check your version of Windows.](https://support.microsoft.com/help/13443/windows-which-operating-system) >[!NOTE] >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + 1. Download the FOD .cab file: - > [!NOTE] - > You must download the FOD .cab file that matches your operating system version. + - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab) + - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) + - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) + - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab) + + > [!NOTE] + > You must download the FOD .cab file that matches your operating system version. 1. Use `Dism` to add Windows Mixed Reality FOD to the image. - ```powershell - Dism /Online /Add-Package /PackagePath:(path) - ``` + ```powershell + Dism /Online /Add-Package /PackagePath:(path) + ``` - > [!NOTE] - > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab** + > [!NOTE] + > On Windows 10 and 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab** 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index 48795d6801..04aa767487 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # Provisioned apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 7edd100ef0..645475d40c 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Sideload LOB apps in Windows client OS | Microsoft Docs -description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10. When you sideload an app, you deploy a signed app package to a device. +description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: manager: dougeby @@ -10,15 +10,15 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 08/31/2021 ms.localizationpriority: medium --- # Sideload line of business (LOB) apps in Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. @@ -56,9 +56,9 @@ Managed devices are typically owned by your organization. They're managed by Gro Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. > [!IMPORTANT] -> To install an app on Windows 10 and later, you can: +> To install an app on Windows client, you can: > -> - [Install Windows 10 apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). +> - [Install Windows apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). > - Users can double-click any `.msix` or `.appx` package. ### User interface @@ -98,7 +98,7 @@ This step installs the app certificate to the local device. Installing the certi -OR- - You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package, see runtime instructions on [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). ## Step 3: Install the app diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 6ebea1ded8..d498c17fb4 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # System apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed. diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 3655fed6e5..4be6d524af 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -23,7 +23,7 @@ items: href: manage-windows-mixed-reality.md - name: Application Virtualization (App-V) items: - - name: App-V for Windows 10 overview + - name: App-V for Windows overview href: app-v/appv-for-windows.md - name: Getting Started items: @@ -266,5 +266,5 @@ items: href: per-user-services-in-windows.md - name: Disabling System Services in Windows Server href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server - - name: How to keep apps removed from Windows 10 from returning during an update + - name: How to keep apps removed from Windows from returning during an update href: remove-provisioned-apps-during-update.md \ No newline at end of file diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index b7d0186f19..99da0233ac 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -10,7 +10,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 09/14/2021 +ms.date: 09/20/2021 ms.topic: article --- @@ -18,9 +18,9 @@ ms.topic: article **Applies to** +- Windows 10 +- Windows 11 -- Windows 10 -- Windows 11 Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. @@ -55,7 +55,7 @@ These tools were included in previous versions of Windows. The associated docume - [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507) > [!TIP] -> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** or **Administrative Tools in Windows 11** page. Details about the information you want for a tool will help us plan future content.  +> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.  ## Related topics diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index d3f7cdaa23..80304a3e5f 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -21,7 +21,7 @@ This article includes general troubleshooting for 802.1X wireless and wired clie ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 11 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. ## Known issues diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index d039c10c17..493bf99dba 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -31,8 +31,7 @@ There are several reasons why a Windows-based computer may have problems during **1. PreBoot** -The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot -Manager. +The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager. **2. Windows Boot Manager** diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index d35a51b495..87a70ff761 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -21,7 +21,8 @@ ms.topic: article **Applies to** - Windows 10 -- Windows 11 +- Windows 11 + From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index 2fbd6d4691..c9150ce005 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -16,9 +16,9 @@ ms.topic: troubleshooting # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions **Applies to** +- Windows 10 +- Windows 11 -- Windows 10 -- Windows 11 In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index b1ab3c2cab..f953bdeb3d 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -1,5 +1,5 @@ --- -title: Manage corporate devices (Windows) +title: Manage corporate devices description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D ms.reviewer: @@ -30,13 +30,13 @@ You can use the same management tools to manage all device types running Windows | Topic | Description | | --- | --- | -| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | +| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | | [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 or Windows 11 in their organizations | +| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | +| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | +| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | + ## Learn more @@ -47,13 +47,13 @@ You can use the same management tools to manage all device types running Windows [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) -[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) +[Azure AD Join on Windows 10 (and Windows 11) devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) -[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765) +[Azure AD support for Windows 10 (and Windows 11)](https://go.microsoft.com/fwlink/p/?LinkID=615765) -[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) +[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) -[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) +[How to manage Windows 10 (and Windows 11) devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) [Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index a3cff7c1bf..4088d331ab 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -14,7 +14,6 @@ ms.topic: article # Manage Device Installation with Group Policy - **Applies to** - Windows 10 @@ -343,8 +342,8 @@ Getting the right device identifier to prevent it from being installed: > ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\ > This class includes printers. -> [!NOTE] -> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. + > [!NOTE] + > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. Creating the policy to prevent all printers from being installed: @@ -377,9 +376,9 @@ Creating the policy to prevent all printers from being installed: 1. If you have not completed step #9 – follow these steps: - - Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - - For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - - You should not be able to reinstall the printer. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. + 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. You should not be able to reinstall the printer. 2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 0188879565..4e6bcdad77 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -14,11 +14,11 @@ ms.topic: article # Manage the Settings app with Group Policy - **Applies to** -- Windows 10, Windows Server 2016 -- Windows 11 +- Windows 10 +- Windows 11 +- Windows Server 2016 You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 8b2e2bc3e9..25245fa812 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -68,7 +68,7 @@ First, you create a default user profile with the customizations that you want, 1. At a command prompt, type the following command and press **ENTER**. - ```dos + ```console sysprep /oobe /reboot /generalize /unattend:unattend.xml ``` @@ -100,11 +100,11 @@ First, you create a default user profile with the customizations that you want, - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of Copy profile to.](images/copy-to-path.png) + ![Example of Copy profile to.](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) + ![Example of Copy To UI with UNC path.](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 42722f7bd7..5f2a7ff230 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. +The following shows the AccountManagement configuration service provider in tree format. -The following diagram shows the AccountManagement configuration service provider in tree format. - -![accountmanagement csp.](images/provisioning-csp-accountmanagement.png) +```console +./Vendor/MSFT +AccountManagement +----UserProfileManagement +--------EnableProfileManager +--------DeletionPolicy +--------StorageCapacityStartDeletion +--------StorageCapacityStopDeletion +--------ProfileInactivityThreshold +``` **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 4c8f6eaecd..ac7cb56c39 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -23,7 +23,36 @@ manager: dansimp [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) -![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png) +The following shows the EnterpriseAppVManagement configuration service provider in tree format. + +```console +./Vendor/MSFT +EnterpriseAppVManagement +----AppVPackageManagement +--------EnterpriseID +------------PackageFamilyName +---------------PackageFullName +------------------Name +------------------Version +------------------Publisher +------------------InstallLocation +------------------InstallDate +------------------Users +------------------AppVPackageID +------------------AppVVersionId +------------------AppVPackageUri +----AppVPublishing +--------LastSync +------------LastError +------------LastErrorDescription +------------SyncStatusDescription +------------SyncProgress +--------Sync +------------PublishXML +----AppVDynamicPolicy +--------ConfigurationId +------------Policy +```

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index a65935c948..5cdeeeac16 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl ## Themes -The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers. +The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers. There are 3 distinct scenarios: @@ -236,7 +236,11 @@ There are 3 distinct scenarios: Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511. -The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip). +The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip). + +- For Windows 10, use **oobe-desktop.css** +- For Windows 11, use **oobe-light.css** + ### Using themes diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index e07354fa81..7c66f6b36e 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -16,18 +16,18 @@ ms.date: 06/26/2017 The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. +>[!Note] +>BOOTSTRAP CSP is only supported in Windows 10 Mobile. +> +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. +The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - - -The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - -![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png) +```console +BOOTSTRAP +----CONTEXT-ALLOW +----PROVURL +``` **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 15a939f7eb..bf703c3671 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID -The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. +The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png) +```console +BrowserFavorite +favorite name +----URL +``` ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. @@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configuration - + - + - + - + diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index e493bf16e1..38f858db4d 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula > [!Note] > Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. -The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) +```console +./Vendor/MSFT +CellularSettings +----DataRoam +``` **DataRoam**

Optional. Integer. Specifies the default roaming value. Valid values are:

diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 44886adee0..37fa305bce 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. -The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) +```console +CM_CellularEntries +----entryname +--------AlwaysOn +--------AuthType +--------ConnectionType +--------Desc.langid +--------Enabled +--------IpHeaderCompression +--------Password +--------SwCompression +--------UserName +--------UseRequiresMappingPolicy +--------Version +--------DevSpecificCellular +-----------GPRSInfoAccessPointName +--------Roaming +--------OEMConnectionID +--------ApnId +--------IPType +--------ExemptFromDisablePolicy +--------ExemptFromRoaming +--------TetheringNAI +--------IdleDisconnectTimeout +--------SimIccId +--------PurposeGroups +``` ***entryname***

Defines the name of the connection.

@@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid - + - + - + - + - + - + @@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration - + - + - + diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md new file mode 100644 index 0000000000..f1bee95c6a --- /dev/null +++ b/windows/client-management/mdm/config-lock.md @@ -0,0 +1,133 @@ +--- +title: Secured-Core Configuration Lock +description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. +manager: dansimp +keywords: mdm,management,administrator,config lock +ms.author: v-lsaldanha +ms.topic: article +ms.prod: w11 +ms.technology: windows +author: lovina-saldanha +ms.date: 10/07/2021 +--- + +# Secured-Core PC Configuration Lock + +**Applies to** + +- Windows 11 + +In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. + +Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC. + +To summarize, Config Lock: + +- Enables IT to “lock” Secured-Core PC features when managed through MDM +- Detects drift remediates within seconds +- DOES NOT prevent malicious attacks + +## Configuration Flow + +After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). + +## System Requirements + +Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). + +## Enabling Config Lock using Microsoft Intune + +Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on. + +The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: + +1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune. +1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**. +1. Select the following and press **Create**: + - **Platform**: Windows 10 and later + - **Profile type**: Templates + - **Template name**: Custom + + :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile"::: + +1. Name your profile. +1. When you reach the Configuration Settings step, select “Add” and add the following information: + - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock + - **Data type**: Integer + - **Value**: 1
+ To turn off Config Lock. Change value to 0. + + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row"::: + +1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”. +1. You'll not need to set any applicability rules for test purposes. +1. Review the Configuration and select “Create” if everything is correct. +1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled. + + :::image type="content" source="images/configlock-mem-dev.png" alt-text="status"::: + + :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status"::: + +## Disabling + +Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune. + +:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect"::: + +## FAQ + +**Can an IT admins disable Config Lock ?**
+ Yes. IT admins can use MDM to turn off Config Lock.
+ +### List of locked policies + +|**CSPs** | +|-----| +|[BitLocker ](bitlocker-csp.md) | +|[PassportForWork](passportforwork-csp.md) | +|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) | +|[ApplicationControl](applicationcontrol-csp.md) + + +|**MDM policies** | +|-----| +|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | +|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) | +|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) | +|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) | +|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) | +|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | +|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | +|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| +|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | +|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | +|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| +|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | +|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d4793c91e6..78158a6a3f 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -43,12 +43,12 @@ Additional lists: - - - - - - + + + + + +

Windows 10

Windows 10/11

64-bit

WindowsClient_10.0_x64

Windows 10

Windows 10/11

32-bit

WindowsClient_10.0_x86

parm-query

Parm-query

Yes

noparm

Noparm

Yes

nocharacteristic

Nocharacteristic

Yes

characteristic-query

Characteristic-query

Yes

Recursive query: Yes

Top-level query: Yes

gprs

Gprs

Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).

cdma

Cdma

Used for CDMA type connections (1XRTT + EVDO).

lte

Lte

Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.

legacy

Legacy

Used for GPRS + GSM + EDGE + UMTS connections.

lte_iwlan

Lte_iwlan

Used for GPRS type connections that may be offloaded over WiFi

iwlan

Iwlan

Used for connections that are implemented over WiFi offload only

nocharacteristic

Nocharacteristic

Yes

characteristic-query

Characteristic-query

Yes

parm-query

Parm-query

Yes
Mobile
cross markcross markcross markcross markcross markcross markNoNoNoNoNoNo
@@ -69,12 +69,12 @@ Additional lists: Mobile - cross mark - check mark4 - check mark4 - check mark4 - check mark4 - cross mark + No + Yes + Yes + Yes + Yes + No @@ -95,12 +95,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -121,12 +121,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + No + No + No + No + No + No @@ -147,12 +147,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -173,12 +173,12 @@ Additional lists: Mobile - check mark6 - check mark6 - check mark6 - check mark6 - check mark6 - check mark6 + Yes6 + Yes6 + Yes6 + Yes6 + Yes6 + Yes6 @@ -199,12 +199,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -225,12 +225,12 @@ Additional lists: Mobile - cross mark - check mark3 - check mark - check mark - check mark - cross mark + No + Yes3 + Yes + Yes + Yes + No @@ -251,12 +251,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -277,12 +277,12 @@ Additional lists: Mobile - cross mark - check mark5 - check mark2 - check mark2 - check mark2 - check mark2 + No + Yes5 + Yes2 + Yes2 + Yes2 + Yes2 @@ -303,12 +303,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + No + No + No + No + No + No @@ -329,12 +329,12 @@ Additional lists: Mobile - check mark3 - check mark3 - check mark3 - check mark3 - check mark3 - check mark + Yes3 + Yes3 + Yes3 + Yes3 + Yes3 + Yes @@ -356,12 +356,12 @@ Additional lists: - cross mark - cross mark - cross mark - cross mark - cross mark - check mark1 + No + No + No + No + No + Yes1 @@ -382,12 +382,12 @@ Additional lists: Mobile - check mark2 - check mark2 - check mark2 - check mark2 - check mark2 - check mark + Yes2 + Yes2 + Yes2 + Yes2 + Yes2 + Yes @@ -408,12 +408,12 @@ Additional lists: Mobile - check mark3 - check mark3 - check mark3 - check mark3 - check mark3 - check mark + Yes3 + Yes3 + Yes3 + Yes3 + Yes3 + Yes @@ -434,12 +434,12 @@ Additional lists: Mobile - check mark2 - check mark2 - check mark2 - check mark2 - check mark2 - check mark + Yes2 + Yes2 + Yes2 + Yes2 + Yes2 + Yes @@ -460,12 +460,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -486,12 +486,12 @@ Additional lists: Mobile - cross mark - cross mark - check mark2 - check mark2 - check mark2 - cross mark + No + No + Yes2 + Yes2 + Yes2 + No @@ -512,12 +512,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -538,12 +538,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + No + No + No + No + No + No @@ -564,12 +564,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -590,12 +590,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -616,12 +616,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - cross mark + Yes + Yes + Yes + Yes + Yes + No @@ -642,12 +642,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -668,12 +668,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -694,12 +694,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + No + No + No + No + No + No @@ -720,12 +720,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -746,12 +746,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -772,12 +772,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -799,12 +799,12 @@ Additional lists: - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -825,12 +825,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -852,12 +852,12 @@ Additional lists: - cross mark - cross mark - cross mark - check mark2 - check mark2 - check mark3 + No + No + No + Yes2 + Yes2 + Yes3 @@ -878,12 +878,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -904,12 +904,12 @@ Additional lists: Mobile - check mark6 - check mark6 - check mark6 - check mark6 - check mark6 - cross mark + Yes6 + Yes6 + Yes6 + Yes6 + Yes6 + No @@ -930,12 +930,12 @@ Additional lists: Mobile - check mark2 - check mark2 - check mark2 - check mark2 - check mark2 - check mark + Yes2 + Yes2 + Yes2 + Yes2 + Yes2 + Yes @@ -956,12 +956,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -982,12 +982,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - check mark2 - check mark2 - cross mark + No + No + No + Yes2 + Yes2 + No @@ -1008,12 +1008,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1034,13 +1034,13 @@ Additional lists: Mobile - check mark + Yes Only for mobile application management (MAM) - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes @@ -1061,12 +1061,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - cross mark + No + Yes + Yes + Yes + Yes + No @@ -1087,12 +1087,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1113,12 +1113,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1139,12 +1139,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1165,12 +1165,12 @@ Additional lists: Mobile - cross mark - check mark3 - check mark3 - check mark3 - check mark3 - check mark3 + No + Yes3 + Yes3 + Yes3 + Yes3 + Yes3 @@ -1191,12 +1191,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check markB + No + No + No + No + No + YesB @@ -1217,12 +1217,12 @@ Additional lists: Mobile - cross mark - check mark3 - check mark3 - check mark3 - check mark3 - cross mark + No + Yes3 + Yes3 + Yes3 + Yes3 + No @@ -1243,12 +1243,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1269,12 +1269,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1296,13 +1296,13 @@ Additional lists: Mobile Enterprise - check mark - check mark - cross mark - check mark - check mark - cross mark - cross mark + Yes + Yes + No + Yes + Yes + No + No @@ -1322,12 +1322,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1348,12 +1348,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark2 + No + No + No + No + No + Yes2 @@ -1374,12 +1374,12 @@ Additional lists: Mobile - check mark4 - check mark4 - check mark4 - check mark4 - check mark4 - check mark4 + Yes + Yes + Yes + Yes + Yes + Yes @@ -1400,12 +1400,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1426,12 +1426,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1452,12 +1452,12 @@ Additional lists: Mobile - cross mark - check mark2 - check mark2 - check mark2 - check mark2 - check mark2 + No + Yes2 + Yes2 + Yes2 + Yes2 + Yes2 @@ -1478,12 +1478,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1504,12 +1504,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1530,12 +1530,12 @@ Additional lists: Mobile - cross mark - check mark2 - check mark2 - check mark2 - check mark2 - cross mark + No + Yes2 + Yes2 + Yes2 + Yes2 + No @@ -1556,12 +1556,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1582,12 +1582,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1608,12 +1608,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1634,12 +1634,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - check mark2 - check mark2 - cross mark + No + No + No + Yes2 + Yes2 + No @@ -1660,12 +1660,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1686,12 +1686,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1712,12 +1712,12 @@ Additional lists: Mobile - check markB - check markB - check markB - check markB - check markB - check markB + YesB + YesB + YesB + YesB + YesB + YesB @@ -1738,12 +1738,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1764,12 +1764,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1790,12 +1790,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1816,12 +1816,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1842,12 +1842,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -1868,12 +1868,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1894,12 +1894,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1920,12 +1920,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -1946,12 +1946,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -1972,12 +1972,12 @@ Additional lists: Mobile - cross mark - check mark1 - check mark1 - check mark1 - check mark1 - cross mark + No + Yes1 + Yes1 + Yes1 + Yes1 + No @@ -1998,12 +1998,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -2024,12 +2024,12 @@ Additional lists: Mobile - cross mark - check mark1 - check mark1 - check mark1 - check mark1 - cross mark + No + Yes1 + Yes1 + Yes1 + Yes1 + No @@ -2050,12 +2050,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -2103,12 +2103,12 @@ Additional lists: Mobile - cross mark - check mark5 - check mark5 - check mark5 - check mark5 - cross mark + No + Yes5 + Yes5 + Yes5 + Yes5 + No @@ -2129,12 +2129,12 @@ Additional lists: Mobile - cross mark - check mark - check mark - check mark - check mark - check mark + No + Yes + Yes + Yes + Yes + Yes @@ -2155,12 +2155,12 @@ Additional lists: Mobile - cross mark - check mark - check mark4 - check mark4 - check mark4 - cross mark + No + Yes + Yes + Yes + Yes + No @@ -2181,12 +2181,12 @@ Additional lists: Mobile - cross mark - cross mark - check mark - check mark - check mark - cross mark + No + No + Yes + Yes + Yes + No @@ -2207,12 +2207,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -2233,12 +2233,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -2259,12 +2259,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -2290,7 +2290,7 @@ Additional lists: - check mark + Yes @@ -2312,12 +2312,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -2338,12 +2338,12 @@ Additional lists: Mobile - cross mark - check mark1 - check mark1 - check mark1 - check mark1 - cross mark + No + Yes1 + Yes1 + Yes1 + Yes1 + No @@ -2364,12 +2364,12 @@ Additional lists: Mobile - cross mark - check mark5 - check mark5 - check mark5 - check mark5 - cross mark + No + Yes5 + Yes5 + Yes5 + Yes5 + No @@ -2390,12 +2390,12 @@ Additional lists: Mobile - cross mark - check mark1 - check mark1 - check mark1 - check mark1 - cross mark + No + Yes1 + Yes1 + Yes1 + Yes1 + No @@ -2416,12 +2416,12 @@ Additional lists: Mobile - cross mark - check mark3 - check mark3 - check mark3 - check mark3 - cross mark> + No + Yes3 + Yes3 + Yes3 + Yes3 + No> @@ -2443,12 +2443,12 @@ Additional lists: Mobile - check mark - check mark - check mark - check mark - check mark - check mark + Yes + Yes + Yes + Yes + Yes + Yes @@ -2469,12 +2469,12 @@ Additional lists: Mobile - cross mark - cross mark - cross mark - cross mark - cross mark - check mark + No + No + No + No + No + Yes @@ -2495,12 +2495,12 @@ Additional lists: Mobile - cross mark - check mark5 - check mark5 - check mark5 - check mark5 - check mark5 + No + Yes5 + Yes5 + Yes5 + Yes5 + Yes5 @@ -2526,7 +2526,7 @@ Additional lists: - check mark + Yes @@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices: | Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 | |------|--------|--------|--------| -| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) -| [Accounts CSP](accounts-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [AppLocker CSP](applocker-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | -| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [CertificateStore CSP](certificatestore-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | -| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevDetail CSP](devdetail-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | -| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevInfo CSP](devinfo-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMAcc CSP](dmacc-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMClient CSP](dmclient-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| -| [NodeCache CSP](nodecache-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [RemoteFind CSP](remotefind-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [Update CSP](update-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WiFi CSP](wifi-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AccountManagement CSP](accountmanagement-csp.md) | No | Yes 4 | Yes +| [Accounts CSP](accounts-csp.md) | Yes | Yes | Yes | +| [ApplicationControl CSP](applicationcontrol-csp.md) | No | No | Yes | +| [AppLocker CSP](applocker-csp.md) | No | Yes | No | +| [AssignedAccess CSP](assignedaccess-csp.md) | No | Yes 4 | Yes | +| [CertificateStore CSP](certificatestore-csp.md) | Yes | Yes| Yes | +| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | No | Yes | Yes | +| [DevDetail CSP](devdetail-csp.md) | Yes | Yes | Yes | +| [DeveloperSetup CSP](developersetup-csp.md) | No | Yes 2 (runtime provisioning via provisioning packages only; no MDM support)| Yes | +| [DeviceManageability CSP](devicemanageability-csp.md) | No | No | Yes | +| [DeviceStatus CSP](devicestatus-csp.md) | No | Yes | Yes | +| [DevInfo CSP](devinfo-csp.md) | Yes | Yes | Yes | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | No | Yes | Yes | +| [DMAcc CSP](dmacc-csp.md) | Yes | Yes | Yes | +| [DMClient CSP](dmclient-csp.md) | Yes | Yes | Yes | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | No | No | Yes 10 | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | No | Yes | Yes | +| [NetworkProxy CSP](networkproxy-csp.md) | No | No | Yes | +| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | No | No | Yes 8| +| [NodeCache CSP](nodecache-csp.md) | Yes | Yes | Yes | +[PassportForWork CSP](passportforwork-csp.md) | No | Yes | Yes | +| [Policy CSP](policy-configuration-service-provider.md) | No | Yes | Yes | +| [RemoteFind CSP](remotefind-csp.md) | No | Yes 4 | Yes | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | No | Yes 4 | Yes | +| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | No | Yes | Yes | +| [TenantLockdown CSP](tenantlockdown-csp.md) | No | No | Yes 10 | +| [Update CSP](update-csp.md) | No | Yes | Yes | +| [VPNv2 CSP](vpnv2-csp.md) | No | Yes | Yes | +| [WiFi CSP](wifi-csp.md) | No | Yes | Yes | +| [WindowsLicensing CSP](windowslicensing-csp.md) | Yes | Yes | No | ## CSPs supported in Microsoft Surface Hub @@ -2649,17 +2649,3 @@ The following list shows the CSPs supported in HoloLens devices:
- Footnotes: -- A - Only for mobile application management (MAM). -- B - Provisioning only. -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. -- 7 - Added in Windows 10, version 1909. -- 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) - diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 73237ce6c0..88a8764d74 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 08/05/2021 +ms.date: 10/04/2021 --- # Defender CSP @@ -73,7 +73,7 @@ Defender --------SupportLogLocation (Added in the next major release of Windows 10) --------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------DefinitionUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release) ----Scan ----UpdateSignature @@ -124,6 +124,7 @@ Threat category ID. The data type is integer. The following table describes the supported values: +

| Value | Description | |-------|-----------------------------| @@ -399,7 +400,7 @@ Supported product status values: - Service started without any malware protection engine = 1 << 1 - Pending full scan due to threat action = 1 << 2 - Pending reboot due to threat action = 1 << 3 -- ending manual steps due to threat action = 1 << 4 +- ending manual steps due to threat action = 1 << 4 - AV signatures out of date = 1 << 5 - AS signatures out of date = 1 << 6 - No quick scan has happened for a specified period = 1 << 7 @@ -722,6 +723,8 @@ Current Channel (Staged): Devices will be offered updates after the monthly grad Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). +Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only + If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. @@ -730,10 +733,12 @@ Supported operations are Add, Delete, Get, Replace. Valid values are: - 0: Not configured (Default) -- 1: Beta Channel - Prerelease -- 2: Current Channel (Preview) -- 3: Current Channel (Staged) -- 4: Current Channel (Broad) +- 2: Beta Channel - Prerelease +- 3: Current Channel (Preview) +- 4: Current Channel (Staged) +- 5: Current Channel (Broad) +- 6: Critical- Time Delay + More details: @@ -751,6 +756,8 @@ Current Channel (Staged): Devices will be offered updates after the monthly grad Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). +Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only + If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. @@ -758,19 +765,22 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -- 0 - Not configured (Default) -- 1 - Beta Channel - Prerelease -- 2 - Current Channel (Preview) -- 3 - Current Channel (Staged) -- 4 - Current Channel (Broad) +- 0: Not configured (Default) +- 2: Beta Channel - Prerelease +- 3: Current Channel (Preview) +- 4: Current Channel (Staged) +- 5: Current Channel (Broad) +- 6: Critical- Time Delay More details: - [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) - [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) -**Configuration/DefinitionUpdatesChannel** -Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. +**Configuration/SecurityIntelligenceUpdatesChannel** +Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout. + +Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). @@ -781,8 +791,8 @@ Supported operations are Add, Delete, Get, Replace. Valid Values are: - 0: Not configured (Default) -- 3: Current Channel (Staged) -- 4: Current Channel (Broad) +- 4: Current Channel (Staged) +- 5: Current Channel (Broad) More details: @@ -830,6 +840,6 @@ Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defende Supported operations are Get and Execute. -## Related topics +## See also [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 5337bb0cfd..d63708145e 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace. > [!NOTE] > We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment. -On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**. +On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**. **Ext/Microsoft/TotalStorage** Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage). diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index bd80931f74..c4a5bf7384 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -138,9 +138,46 @@ Updates are configured using a combination of the [Update CSP](update-csp.md), a The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. -The following diagram shows the Update policies in a tree format. +The following shows the Update policies in a tree format. -![update policies.](images/update-policies.png) +```console +./Vendor/MSFT +Policy +----Config +--------Update +-----------ActiveHoursEnd +-----------ActiveHoursMaxRange +-----------ActiveHoursStart +-----------AllowAutoUpdate +-----------AllowMUUpdateService +-----------AllowNonMicrosoftSignedUpdate +-----------AllowUpdateService +-----------AutoRestartNotificationSchedule +-----------AutoRestartRequiredNotificationDismissal +-----------BranchReadinessLevel +-----------DeferFeatureUpdatesPeriodInDays +-----------DeferQualityUpdatesPeriodInDays +-----------DeferUpdatePeriod +-----------DeferUpgradePeriod +-----------EngagedRestartDeadline +-----------EngagedRestartSnoozeSchedule +-----------EngagedRestartTransitionSchedule +-----------ExcludeWUDriversInQualityUpdate +-----------IgnoreMOAppDownloadLimit +-----------IgnoreMOUpdateDownloadLimit +-----------PauseDeferrals +-----------PauseFeatureUpdates +-----------PauseQualityUpdates +-----------RequireDeferUpgrade +-----------RequireUpdateApproval +-----------ScheduleImminentRestartWarning +-----------ScheduledInstallDay +-----------ScheduledInstallTime +-----------ScheduleRestartWarning +-----------SetAutoRestartNotificationDisable +-----------UpdateServiceUrl +-----------UpdateServiceUrlAlternate +``` **Update/ActiveHoursEnd** > [!NOTE] @@ -674,9 +711,38 @@ Example ### Update management -The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format.. +The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format. -![provisioning csp update.](images/provisioning-csp-update.png) +```console +./Vendor/MSFT +Update +----ApprovedUpdates +--------Approved Update Guid +------------ApprovedTime +----FailedUpdates +--------Failed Update Guid +------------HResult +------------Status +------------RevisionNumber +----InstalledUpdates +--------Installed Update Guid +------------RevisionNumber +----InstallableUpdates +--------Installable Update Guid +------------Type +------------RevisionNumber +----PendingRebootUpdates +--------Pending Reboot Update Guid +------------InstalledTime +------------RevisionNumber +----LastSuccessfulScanTime +----DeferUpgrade +----Rollback +--------QualityUpdate +--------FeatureUpdate +--------QualityUpdateStatus +--------FeatureUpdateStatus +``` **Update** The root node. diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 0db22bf159..a7852e16cc 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -24,9 +24,27 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile. -The following diagram shows the DeviceInstanceService configuration service provider in tree format. +The following shows the DeviceInstanceService configuration service provider in tree format. -![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png) +```console +./Vendor/MSFT +DeviceInstanceService +------------Roaming +------------PhoneNumber +------------IMEI +------------IMSI +------------Identity +---------------Identity1 +------------------Roaming +------------------PhoneNumber +------------------IMEI +------------------IMSI +---------------Identity2 +------------------PhoneNumber +------------------IMEI +------------------IMSI +------------------Roaming +``` **Roaming** A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming. @@ -36,34 +54,34 @@ Supported operation is **Get**. Returns **True** if the device is roaming; otherwise **False**. **PhoneNumber** -A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber. +A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber. Value type is chr. Supported operation is **Get**. **IMEI** -A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI. +A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI. Value type is chr. Supported operation is **Get**. **IMSI** -A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI. +A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI. Value type is chr. Supported operation is **Get**. **Identity** -The parent node to group per SIM specific information in case of dual SIM mode. +The parent node to group per SIM-specific information in dual SIM mode. **Identity1** -The parent node to group SIM1 specific information in case of dual SIM mode. +The parent node to group SIM1 specific information in dual SIM mode. **Identity2** -The parent node to group SIM2 specific information in case of dual SIM mode. +The parent node to group SIM2 specific information in dual SIM mode. ## Examples diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 9933e58a23..d415155769 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -30,9 +30,33 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled) - MaxInactivityTimeDeviceLock - MinDevicePasswordComplexCharacters -The following image shows the DeviceLock configuration service provider in tree format. +The following shows the DeviceLock configuration service provider in tree format. -![devicelock csp.](images/provisioning-csp-devicelock.png) +```console +./Vendor/MSFT +DeviceLock +--------Provider +----------ProviderID +-------------DevicePasswordEnabled +-------------AllowSimpleDevicePassword +-------------MinDevicePasswordLength +-------------AlphanumericDevicePasswordRequired +-------------MaxDevicePasswordFailedAttempts +-------------DevicePasswordExpiration +-------------DevicePasswordHistory +-------------MaxInactivityTimeDeviceLock +-------------MinDevicePasswordComplexCharacters +----------DeviceValue +-------------DevicePasswordEnabled +-------------AllowSimpleDevicePassword +-------------MinDevicePasswordLength +-------------AlphanumericDevicePasswordRequired +-------------MaxDevicePasswordFailedAttempts +-------------DevicePasswordExpiration +-------------DevicePasswordHistory +-------------MaxInactivityTimeDeviceLock +-------------MinDevicePasswordComplexCharacters +``` **Provider** Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index b8ddb3ffeb..9480172d90 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format. ./Vendor/MSFT DMClient ----Provider --------- +--------ProviderID ------------EntDeviceName ------------ExchangeID ------------EntDMID @@ -45,6 +45,10 @@ DMClient ------------HWDevID ------------ManagementServerAddressList ------------CommercialID +------------ConfigLock +----------------Lock +----------------UnlockDuration +----------------SecureCore ------------Push ----------------PFN ----------------ChannelURI @@ -598,6 +602,33 @@ Optional. Boolean value that allows the IT admin to require the device to start Supported operations are Add, Get, and Replace. +**Provider/*ProviderID*/ConfigLock** + +Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. + +Default = Locked + +> [!Note] +>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). + +**Provider/*ProviderID*/ConfigLock/Lock** + +The supported values for this node are 0-unlock, 1-lock. + +Supported operations are Add, Delete, Get. + +**Provider/*ProviderID*/ConfigLock/UnlockDuration** + +The supported values for this node are 1 to 480 (in min). + +Supported operations are Add, Delete, Get. + +**Provider/*ProviderID*/ConfigLock/SecureCore** + +The supported values for this node are false or true. + +Supported operation is Get only. + **Provider/*ProviderID*/Push** Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c9f13235e0..58d590e4b2 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -5,8 +5,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 06/02/2021 +author: dansimp +ms.date: 10/14/2021 ms.reviewer: manager: dansimp --- @@ -214,7 +214,7 @@ Requirements: If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. -6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available. +6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. This procedure will work for any future version as well. diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c29e2047ad..0f51e05177 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -8,8 +8,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 09/22/2017 +author: dansimp +ms.date: 10/04/2021 --- # Enterprise app management @@ -39,9 +39,109 @@ Windows 10 lets you inventory all apps deployed to a user and all apps for all These classifications are represented as nodes in the EnterpriseModernAppManagement CSP. -The following diagram shows the EnterpriseModernAppManagement CSP in a tree format. +The following shows the EnterpriseModernAppManagement CSP in a tree format. -![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png) +```console +./Device/Vendor/MSFT +or +./User/Vendor/MSFT +EnterpriseAppManagement +----AppManagement +--------UpdateScan +--------LastScanError +--------AppInventoryResults +--------AppInventoryQuery +--------RemovePackage +--------AppStore +----------PackageFamilyName +------------PackageFullName +--------------Name +--------------Version +--------------Publisher +--------------Architecture +--------------InstallLocation +--------------IsFramework +--------------IsBundle +--------------InstallDate +--------------ResourceID +--------------RequiresReinstall +--------------PackageStatus +--------------Users +--------------IsProvisioned +--------------IsStub +------------DoNotUpdate +------------AppSettingPolicy +--------------SettingValue +------------MaintainProcessorArchitectureOnUpdate +------------NonRemovable +----------ReleaseManagement +------------ReleaseManagementKey +--------------ChannelId +--------------ReleaseId +--------------EffectiveRelease +-----------------ChannelId +-----------------ReleaseId +--------nonStore +----------PackageFamilyName +------------PackageFullName +--------------Name +--------------Version +--------------Publisher +--------------Architecture +--------------InstallLocation +--------------IsFramework +--------------IsBundle +--------------InstallDate +--------------ResourceID +--------------RequiresReinstall +--------------PackageStatus +--------------Users +--------------IsProvisioned +--------------IsStub +------------DoNotUpdate +------------AppSettingPolicy +--------------SettingValue +------------MaintainProcessorArchitectureOnUpdate +------------NonRemoveable +--------System +----------PackageFamilyName +------------PackageFullName +--------------Name +--------------Version +--------------Publisher +--------------Architecture +--------------InstallLocation +--------------IsFramework +--------------IsBundle +--------------InstallDate +--------------ResourceID +--------------RequiresReinstall +--------------PackageStatus +--------------Users +--------------IsProvisioned +--------------IsStub +------------DoNotUpdate +------------AppSettingPolicy +--------------SettingValue +------------MaintainProcessorArchitectureOnUpdate +------------NonRemoveable +----AppInstallation +--------PackageFamilyName +----------StoreInstall +----------HostedInstall +----------LastError +----------LastErrorDesc +----------Status +----------ProgressStatus +----AppLicenses +--------StoreLicenses +----------LicenseID +------------LicenseCategory +------------LicenseUsage +------------RequesterID +------------AddLicense +------------GetLicenseFromStore +``` Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). @@ -49,9 +149,9 @@ Inventory can be performed recursively at any level from the AppManagement node Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name. -> **Note**  On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name. +> [!NOTE] +> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name. - Here are the nodes for each package full name: - Name @@ -116,8 +216,8 @@ Here are the nodes for each license ID: For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). -> **Note**  The LicenseID in the CSP is the content ID for the license. - +> [!NOTE] +> The LicenseID in the CSP is the content ID for the license. Here is an example of a query for all app licenses on a device. @@ -308,9 +408,9 @@ Here are the requirements for this scenario: - The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled. - The user must be logged in, but association with AAD identity is not required. -> **Note**  You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). +> [!NOTE] +> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). - The Add command for the package family name is required to ensure proper removal of the app at unenrollment. Here is an example of a line-of-business app installation. @@ -429,14 +529,13 @@ Here are the requirements for this scenario: To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment. -> **Note**  When you remove the provisioned app, it will not remove it from the users that already installed the app. - - +> [!NOTE] +> When you remove the provisioned app, it will not remove it from the users that already installed the app. Here is an example of app installation. -> **Note**  This is only supported in Windows 10 for desktop editions. - +> [!NOTE] +> This is only supported in Windows 10 for desktop editions. ```xml @@ -472,8 +571,8 @@ The DeploymentOptions parameter is only available in the user context. Here is an example of app installation with dependencies. -> **Note**  This is only supported in Windows 10 for desktop editions. - +> [!NOTE] +> This is only supported in Windows 10 for desktop editions. ```xml @@ -513,9 +612,9 @@ When an app installation is completed, a Windows notification is sent. You can a - Status - indicates the status of app installation. - NOT\_INSTALLED (0) - The node was added, but the execution was not completed. - - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of suceess this value is updated. + - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated. - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up actio has not completed, this state may briefly appear. + - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. - LastError - This is the last error reported by the app deployment server. - LastErrorDescription - Describes the last error reported by the app deployment server. - Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress. @@ -577,9 +676,10 @@ Here is an example of an alert. For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path. -The Data field value of 0 (zero) indicates sucess, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node. +The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node. -> **Note**  At this time, the alert for Store app installation is not yet available. +> [!NOTE] +> At this time, the alert for Store app installation is not yet available. ## Uninstall your apps @@ -590,7 +690,7 @@ You can uninstall apps from users from Windows 10 devices. To uninstall an app, - nonStore - These apps that were not acquired from the Microsoft Store. - System - These apps are part of the OS. You cannot uninstall these apps. -To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name. +To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name. Here is an example for uninstalling all versions of an app for a user. @@ -624,7 +724,8 @@ Here is an example for uninstalling a specific version of the app for a user. You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users. -> **Note**  You can only remove an app that has an inventory value IsProvisioned = 1. +> [!NOTE] +> You can only remove an app that has an inventory value IsProvisioned = 1. Removing provisioned app occurs in the device context. @@ -753,7 +854,6 @@ Here is an example of a status check. Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location). - ### Update provisioned apps A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device). @@ -790,8 +890,8 @@ The following subsections provide information about additional settings configur You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md). -> **Note**  This is only supported in mobile devices. - +> [!NOTE] +> This is only supported in mobile devices. Here is an example. @@ -825,8 +925,8 @@ Here is an example. In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved. -> **Note**  The feature is only for Windows 10 Mobile. - +> [!NOTE] +> The feature is only for Windows 10 Mobile. The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1. @@ -862,8 +962,8 @@ Here is an example. The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device. -> **Note**  This is only applicable to multi-user devices. - +> [!NOTE] +> This is only applicable to multi-user devices. The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. @@ -898,11 +998,3 @@ Here is an example. ``` - - - - - - - - diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 98249aad50..f5132cb038 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to -The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. +The following shows the EnterpriseAppManagement configuration service provider in tree format. -![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png) +```console +./Vendor/MSFT +EnterpriseAppManagement +----EnterpriseID +--------EnrollmentToken +--------StoreProductID +--------StoreUri +--------CertificateSearchCriteria +--------Status +--------CRLCheck +--------EnterpriseApps +------------Inventory +----------------ProductID +--------------------Version +--------------------Title +--------------------Publisher +--------------------InstallDate +------------Download +----------------ProductID +--------------------Version +--------------------Name +--------------------URL +--------------------Status +--------------------LastError +--------------------LastErrorDesc +--------------------DownloadInstall +``` ***EnterpriseID*** Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 271c1d69cb..ee057f96bd 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -19,8 +19,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. - -To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile). +For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile). The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. ``` diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 97ae6b939f..c9219f4340 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -62,6 +62,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated Supported operation is Get. Value type is boolean. +**_eUICC_/PPR1Allowed** +Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/PPR1AlreadySet** +Required. Indicates whether the eUICC already has a profile with PPR1. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/DownloadServers** +Interior node. Represents default SM-DP+ discovery requests. + +Supported operation is Get. + +**_eUICC_/DownloadServers/_ServerName_** +Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + +Supported operations are Add, Get, and Delete. + +**_eUICC_/DownloadServers/_ServerName_/DiscoveryState** +Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/DownloadServers/_ServerName_/AutoEnable** +Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + +Supported operations are Add, Get, and Replace. Value type is bool. + **_eUICC_/Profiles** Interior node. Required. Represents all enterprise-owned profiles. diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 38bb8e5f6f..f7d0851746 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803. - com.microsoft/1.1/MDM/eUICCs + com.microsoft/1.2/MDM/eUICCs @@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803. - Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. @@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803. - Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + The EID. @@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803. + + PPR1Allowed + + + + + Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + + + + + + + + + + + text/plain + + + + + PPR1AlreadySet + + + + + Indicates whether the eUICC already has a profile with PPR1. + + + + + + + + + + + text/plain + + + + + DownloadServers + + + + + Represents default SM-DP+ discovery requests. + + + + + + + + + + + + + + + + + + + + + + + Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + + + + + + + + + + ServerName + + + + + + DiscoveryState + + + + + 1 + Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + AutoEnable + + + + + + + Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + + + + + + + + + + + text/plain + + + + + Profiles @@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803. + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). @@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803. + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. @@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803. + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. @@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803. + + PPR1Set + + + + + This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + PPR2Set + + + + + This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + ErrorDetail + + + + + 0 + Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). + + + + + + + + + + + text/plain + + + diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 3df7b51be2..0b5579a5a6 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. -The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. +The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. -![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png) +```console +./Vendor/MSFT +FileSystem +----file name +----file directory +--------file name +--------file directory +``` **FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index e570b9890d..32bdbb1eca 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -8,25 +8,470 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 +author: dansimp +ms.date: --- # Device HealthAttestation CSP -The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: -- Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device -- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) +- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) -## Terms +## Windows 11 Device health attestation + +Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. + +The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. + +### Terms +**TPM (Trusted Platform Module)** +

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

+ +**DHA (Device HealthAttestation) feature** +

The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

+ +**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** +

The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

+ +**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** +

The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.

+

The following list of operations is performed by MAA-CSP:

+
    +
  • Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
    • +
  • The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
    • +
  • Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
    • +
  • Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
    • +
+ +**MAA endpoint** +Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. + +**JWT (JSON Web Token)** +JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. + +### Attestation Flow with Microsoft Azure Attestation Service + +![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png) + +
+

Attestation flow can be broadly in three main steps:

+
    +
  • An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
    • +
  • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
    • +
  • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
    • +
+ +The protocol implemented can be found here: Attestation Protocol. + +### Configuration Service Provider Nodes +Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. +``` +./Vendor/MSFT +HealthAttestation +----... +----TriggerAttestation | +----AttestStatus | Added in Windows 11 +----GetAttestReport | +----GetServiceCorrelationIDs | +----VerifyHealth +----Status +----ForceRetrieve +----Certificate +----Nonce +----CorrelationID +----HASEndpoint +----TpmReadyStatus +----CurrentProtocolVersion +----PreferredMaxProtocolVersion +----MaxSupportedProtocolVersion +``` + + +**./Vendor/MSFT/HealthAttestation** +

The root node for the device HealthAttestation configuration service provider.

+ +**TriggerAttestation** (Required) +

Node type: EXECUTE +This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. +

+ +

Templated SyncML Call:

+ +```xml + + + + VERIFYHEALTHV2 + + + + ./Vendor/MSFT/HealthAttestation/TriggerAttestation + + + + { + rpID : "rpID", serviceEndpoint : “MAA endpoint”, + nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector" + } + + + + + + +``` + +

Data fields:

+
    +
  • rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
    • +
  • serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
    • +
  • nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
    • +
  • aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
    • +
  • cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
    • +
+ +

Sample Data:

+ +```json + +{ +"rpid" : "https://www.contoso.com/attestation", +"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", +"nonce" : "5468697320697320612054657374204e6f6e6365", +"aadToken" : "dummytokenstring", +"cv" : "testonboarded" +} + +``` + +**AttestStatus** +

Node type: GET +This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. +The status is always cleared prior to making the attest service call. +

+ +

Templated SyncML Call:

+ +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/AttestStatus + + + + + + + +``` + +

Sample Data:

+ +``` +If Successful: 0 +If Failed: A corresponding HRESULT error code +Example: 0x80072efd, WININET_E_CANNOT_CONNECT +``` + +**GetAttestReport** +

Node type: GET +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. +

+ +

Templated SyncML Call:

+ +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport + + + + + + + +``` + +

Sample data:

+ +``` +If Success: +JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc +If failed: +Previously cached report if available (the token may have already expired per the attestation policy). +OR Sync ML 404 error if not cached report available. +``` + +**GetServiceCorrelationIDs** +

Node type: GET +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string. +

+

Templated SyncML Call:

+ +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs + + + + + + + +``` + +

Sample data:

+ +> If success: +> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM +> If Trigger Attestation call failed and no previous data is present. The field remains empty. +> Otherwise, the last service correlation id will be returned. In a successful attestation there are two +> calls between client and MAA and for each call the GUID is separated by semicolon. + +> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. + + +### MAA CSP Integration Steps +
    +
  1. Set up a MAA provider instance:
    +MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
    2. +
  2. Update the provider with an appropriate policy:
    +The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs +
    A Sample attestation policy: + +``` +version=1.2; + +configurationrules{ +}; + +authorizationrules { + => permit(); +}; + +issuancerules{ + +// SecureBoot enabled +c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); +c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); +![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + +// Retrieve bool properties +c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); +c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + +// Bitlocker Boot Status, The first non zero measurement or zero. +c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); +[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); +![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + +// Elam Driver (windows defender) Loaded +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); +[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); +![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + +// Boot debugging +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); +c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + +// Kernel Debugging +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); +c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + +// DEP Policy +c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); +![type=="depPolicy"] => issue(type="depPolicy", value=0); + +// Test Signing +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); +c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + +// Flight Signing +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); +c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); +![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + +// VSM enabled +c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); +c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); +c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + +// HVCI +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); +c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); +![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + +// IOMMU +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); +c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + +// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements +// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 +c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); +c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); +[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + +// Find the first EVENT_APPLICATION_SVN. +c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); +c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); +c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + +// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN +c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + +// OS Rev List Info +c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + +// Safe mode +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); +c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); +![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + +// Win PE +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); +c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); +![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + +// CI Policy +c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + +// Secure Boot Custom Policy +c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + +// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 +c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); +c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); +[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + +//Finding the Boot App SVN +// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); +c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); +c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + +// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. +c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); +c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + +// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. +c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); +c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + +// Finding the Boot Rev List Info +c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + +}; +``` + +
    3. +
  3. Call TriggerAttestation with your rpid, AAD token and the attestURI:
    +Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
    4. +
  4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
    +GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. +
    + +```json + { + "typ": "JWT", + "alg": "RS256", + "x5c": [ + "MIIE.....=", + "MIIG.....=", + "MIIF.....=" + ], + "kid": "8FUer20z6wzf1rod044wOAFdjsg" + }.{ + "nbf": 1633664812, + "exp": 1634010712, + "iat": 1633665112, + "iss": "https://contosopolicy.eus.attest.azure.net", + "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", + "ver": "1.0", + "x-ms-ver": "1.0", + "rp_data": "AQIDBA", + "nonce": "AQIDBA", + "cnf": { + "jwk": { + "kty": "RSA", + "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", + "e": "AQAB" + } + }, + "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", + "WindowsDefenderElamDriverLoaded": true, + "bitlockerEnabled": true, + "bitlockerEnabledValue": 4, + "bootAppSvn": 1, + "bootDebuggingDisabled": true, + "bootMgrSvn": 1, + "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", + "codeIntegrityEnabled": true, + "codeIntegrityPolicy": [ + "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", + "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", + "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", + "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", + "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" + ], + "depPolicy": 0, + "flightSigningNotEnabled": false, + "hvciEnabled": true, + "iommuEnabled": true, + "notSafeMode": true, + "notWinPE": true, + "osKernelDebuggingDisabled": true, + "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", + "secureBootEnabled": true, + "testSigningDisabled": true, + "vbsEnabled": true + }.[Signature] +``` +
    5. +
+ +### Learn More + +More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/). + + +## Windows 10 Device HealthAttestation + +### Terms **TPM (Trusted Platform Module)** -

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

+

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

**DHA (Device HealthAttestation) feature**

The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

@@ -59,10 +504,10 @@ The following is a list of functions performed by the Device HealthAttestation C DHA session data (Device HealthAttestation session data)

The following list of data is produced or consumed in one DHA-Transaction:

    -
  • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
    • +
  • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
  • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
  • DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
    • -
  • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts: +
  • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
    • DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
    • DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
      • @@ -96,7 +541,7 @@ The following is a list of functions performed by the Device HealthAttestation C DHA-Service (Device HealthAttestation Service)

      Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

      -

      DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

      +

      DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

      The following list of operations is performed by DHA-Service:

      - Receives device boot data (DHA-BootData) from a DHA-Enabled device @@ -173,7 +618,7 @@ The following is a list of functions performed by the Device HealthAttestation C -## CSP diagram and node descriptions +### CSP diagram and node descriptions The following shows the Device HealthAttestation configuration service provider in tree format. @@ -205,12 +650,12 @@ HealthAttestation

      The supported operation is Get.

      -

      The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

      +

      The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.

      - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device - 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up +- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional)

      Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

      @@ -220,7 +665,7 @@ HealthAttestation **Certificate** (Required)

      Instructs the DHA-CSP to forward DHA-Data to the MDM server.

      -

      Value type is b64.The supported operation is Get.

      +

      Value type is b64. The supported operation is Get.

      **Nonce** (Required)

      Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

      @@ -243,7 +688,7 @@ HealthAttestation

      Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

      Value type is integer. The supported operation is Get.

      -## **DHA-CSP integration steps** +### **DHA-CSP integration steps** The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): @@ -260,7 +705,7 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -## **Step 1: Verify HTTPS access** +### **Step 1: Verify HTTPS access** Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). @@ -313,7 +758,7 @@ SSL-Session: ``` -## **Step 2: Assign an enterprise trusted DHA-Service** +### **Step 2: Assign an enterprise trusted DHA-Service** There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) @@ -339,7 +784,7 @@ The following example shows a sample call that instructs a managed device to com ``` -## **Step 3: Instruct client to prepare health data for verification** +### **Step 3: Instruct client to prepare health data for verification** Send a SyncML call to start collection of the DHA-Data. @@ -366,7 +811,7 @@ The following example shows a sample call that triggers collection and verificat ``` -## **Step 4: Take action based on the clients response** +### **Step 4: Take action based on the clients response** After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -392,9 +837,9 @@ Here is a sample alert that is issued by DHA_CSP: ``` -- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). +- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -## **Step 5: Instruct the client to forward health attestation data for verification** +### **Step 5: Instruct the client to forward health attestation data for verification** Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -431,7 +876,7 @@ Here is an example: ``` -## **Step 6: Forward device health attestation data to DHA-service** +### **Step 6: Forward device health attestation data to DHA-service** In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). @@ -455,14 +900,14 @@ When the MDM-Server receives the above data, it must: - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 -## **Step 7: Receive response from the DHA-service** +### **Step 7: Receive response from the DHA-service** When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: - Decrypts the encrypted data it receives. - Validates the data it has received - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format -## **Step 8: Take appropriate policy action based on evaluation results** +### **Step 8: Take appropriate policy action based on evaluation results** After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: @@ -471,7 +916,7 @@ After the MDM server receives the verified data, the information can be used to - Allow the device to access the resources, but flag the device for further investigation. - Prevent a device from accessing resources. -The following list of data points are verified by the DHA-Service in DHA-Report version 3: +The following list of data points is verified by the DHA-Service in DHA-Report version 3: - [Issued](#issued ) - [AIKPresent](#aikpresent) @@ -503,7 +948,7 @@ The following list of data points are verified by the DHA-Service in DHA-Report \* TPM 2.0 only \*\* Reports if BitLocker was enabled during initial boot. -\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports first-party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -519,7 +964,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) @@ -544,7 +989,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) @@ -560,7 +1005,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** @@ -573,7 +1018,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion**

      This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

      @@ -585,7 +1030,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled**

      When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

      @@ -596,11 +1041,11 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -

      Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

      +

      Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

      Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

      @@ -626,7 +1071,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled**

      When code integrity is enabled, code execution is restricted to integrity verified code.

      @@ -641,7 +1086,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** @@ -680,11 +1125,11 @@ Each of these are described in further detail in the following sections, along w

      If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

      **ELAMDriverLoaded** (Windows Defender) -

      To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

      +

      To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

      -

      In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

      +

      In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.

      -

      If a device is expected to use a 3rd party antivirus program, ignore the reported state.

      +

      If a device is expected to use a third-party antivirus program, ignore the reported state.

      If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

      @@ -705,7 +1150,7 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -

      Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

      +

      Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.

      VSM can be enabled by using the following command in WMI or a PowerShell script:

      @@ -760,7 +1205,7 @@ Each of these are described in further detail in the following sections, along w **PCR0**

      The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

      -

      Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

      +

      Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

      If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

      @@ -776,7 +1221,7 @@ Each of these are described in further detail in the following sections, along w

      If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -

      If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

      +

      If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

      - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -786,7 +1231,7 @@ Each of these are described in further detail in the following sections, along w

      If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

      -

      If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

      +

      If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

      - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -816,7 +1261,7 @@ Each of these are described in further detail in the following sections, along w

      In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

      -## **Device HealthAttestation CSP status and error codes** +### **Device HealthAttestation CSP status and error codes** @@ -962,7 +1407,7 @@ Each of these are described in further detail in the following sections, along w - + @@ -997,7 +1442,7 @@ Each of these are described in further detail in the following sections, along w - + @@ -1027,7 +1472,7 @@ Each of these are described in further detail in the following sections, along w
      27 HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create a HTTP request handle.DHA-CSP failed to create an HTTP request handle.
      28
      34 HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with a HTTP error code from DHA-Service.DHA-CSP received an empty response along with an HTTP error code from DHA-Service.
      35
      -## DHA-Report V3 schema +### DHA-Report V3 schema ```xml @@ -1131,7 +1576,7 @@ Each of these are described in further detail in the following sections, along w ``` -## DHA-Report example +### DHA-Report example ```xml diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index d7209b1cf2..651900e2d8 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -22,193 +22,430 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is the current version for this CSP. ```xml - -]> - - 1.2 - + + + + + 1.2 + $(runtime.windows)\system32\hascsp.dll + + {9DCCCE22-C057-424E-B8D1-67935988B174} + HealthAttestation ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.2/MDM/HealthAttestation - + + + + The root node for the device HealthAttestation configuration service provider. + + + + + + + + + + + com.microsoft/1.4/MDM/HealthAttestation + + + 10.0.10586 + 1.0 + + + + + - VerifyHealth - - - - - - - - - - - - - - + VerifyHealth + + + + + Notifies the device to prepare a device health verification request. + + + + + + + + + + + text/plain + + + - Status - - - - - - - - - - - - - - - text/plain - - + Status + + + + + Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes + + + + + + + + + + + text/plain + + - ForceRetrieve - - - - - - False - - - - - - - - - - - text/plain - - + ForceRetrieve + + + + + + False + Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + + + + + + + + + + + text/plain + + + + false + False + + + true + True + + + - Certificate - - - - - - - - - - - - - - - - - + Certificate + + + + + Instructs the DHA-CSP to forward DHA-Data to the MDM server. + + + + + + + + + + + text/plain + + - Nonce - - - - - - \0 - - - - - - - - - - - text/plain - - + Nonce + + + + + + \0 + Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + + + + + + + + + + + text/plain + + + + - CorrelationID - - - - - - - - - - - - - - - text/plain - - + CorrelationID + + + + + Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + + + + + + + + + + + text/plain + + + + - HASEndpoint - - - - - - - - - - - - - text/plain - - + HASEndpoint + + + + + + has.spserv.microsoft.com. + Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + + + + + + + + + + + text/plain + + + + - TpmReadyStatus - - - - - - - - - - - - - - - text/plain - - + TpmReadyStatus + + + + + Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. + + + + + + + + + + + text/plain + + + 10.0.14393 + 1.1 + + - - + + CurrentProtocolVersion + + + + + Provides the current protocol version that the client is using to communicate with the Health Attestation Service. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + PreferredMaxProtocolVersion + + + + + + 3 + Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + + + MaxSupportedProtocolVersion + + + + + Returns the maximum protocol version that this client can support. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + TriggerAttestation + + + + + Notifies the device to trigger an attestation session asynchronously. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.4 + + + + + + + GetAttestReport + + + + + Retrieve attestation session report if exists. + + + + + + + + + + + + + + 99.9.99999 + 1.4 + + + + + AttestStatus + + + + + AttestStatus maintains the success or failure status code for the last attestation session. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.4 + + + + + GetServiceCorrelationIDs + + + + + Retrieve service correlation IDs if exist. + + + + + + + + + + + + + + 99.9.99999 + 1.4 + + + + + + + + ``` diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index af7934b674..0672037cf9 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter -The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. +The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. -![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png) +```console +./Vendor/MSFT +HotSpot +-------Enabled +-------DedicatedConnections +-------TetheringNAIConnection +-------MaxUsers +-------MaxBluetoothUsers +-------MOHelpNumber +-------MOInfoLink +-------MOAppLink +-------MOHelpMessage +-------EntitlementRequired +-------EntitlementDll +-------EntitlementInterval +-------PeerlessTimeout +-------PublicConnectionTimeout +``` **Enabled** Required. Specifies whether to enable Internet sharing on the device. The default is false. diff --git a/windows/client-management/mdm/images/configlock-mem-createprofile.png b/windows/client-management/mdm/images/configlock-mem-createprofile.png new file mode 100644 index 0000000000..f43f6b7ddb Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-createprofile.png differ diff --git a/windows/client-management/mdm/images/configlock-mem-dev.png b/windows/client-management/mdm/images/configlock-mem-dev.png new file mode 100644 index 0000000000..3ce6cd456d Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-dev.png differ diff --git a/windows/client-management/mdm/images/configlock-mem-devstatus.png b/windows/client-management/mdm/images/configlock-mem-devstatus.png new file mode 100644 index 0000000000..2e78bf58e5 Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-devstatus.png differ diff --git a/windows/client-management/mdm/images/configlock-mem-editrow.png b/windows/client-management/mdm/images/configlock-mem-editrow.png new file mode 100644 index 0000000000..18595f86dc Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-editrow.png differ diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png new file mode 100644 index 0000000000..1e315bc4b1 Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ diff --git a/windows/client-management/mdm/images/faq-max-devices.png b/windows/client-management/mdm/images/faq-max-devices.png index bf101a0215..f2d177b92f 100644 Binary files a/windows/client-management/mdm/images/faq-max-devices.png and b/windows/client-management/mdm/images/faq-max-devices.png differ diff --git a/windows/client-management/mdm/images/flow-configlock.png b/windows/client-management/mdm/images/flow-configlock.png new file mode 100644 index 0000000000..4310537887 Binary files /dev/null and b/windows/client-management/mdm/images/flow-configlock.png differ diff --git a/windows/client-management/mdm/images/maa-attestation-flow.png b/windows/client-management/mdm/images/maa-attestation-flow.png new file mode 100644 index 0000000000..ac91ff242a Binary files /dev/null and b/windows/client-management/mdm/images/maa-attestation-flow.png differ diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index a7236eea80..792bdcb30c 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -1,6 +1,6 @@ --- title: Mobile device management -description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy +description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' @@ -15,9 +15,9 @@ author: dansimp # Mobile device management -Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server. +Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server. -There are two parts to the Windows 10 management component: +There are two parts to the Windows management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index 69893ff362..1e87fad908 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -15,9 +15,18 @@ manager: dansimp The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703. -The following diagram shows the Messaging configuration service provider in tree format. +The following shows the Messaging configuration service provider in tree format. -![messaging csp.](images/provisioning-csp-messaging.png) +```console +./User/Vendor/MSFT +Messaging +----AuditingLevel +----Auditing +--------Messages +----------Count +----------RevisionId +----------Data +``` **./User/Vendor/MSFT/Messaging** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index ceacdde6dd..d1ada9afe6 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v ## Disable MDM enrollments -Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. ![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) Here is the corresponding registry key: -Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM +HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM Value: DisableRegistration @@ -80,19 +80,8 @@ Value: DisableRegistration The following scenarios do not allow MDM enrollments: -- Built-in administrator accounts on Windows desktop cannot enroll into MDM. -- Standard users cannot enroll in MDM. Only admin users can enroll. -- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed. - -## Enrollment migration - -**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours. - -Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work. - -To manually trigger enrollment migration, you can run MDMMaintenenceTask. - -**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade. +- Built-in administrator accounts on Windows desktop cannot enroll into MDM. +- Standard users cannot enroll in MDM. Only admin users can enroll. ## Enrollment error messages @@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma

      s:

      MessageFormat

      MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

      -

      Message format is bad

      +

      Invalid message from the Mobile Device Management (MDM) server.

      80180001

      s:

      Authentication

      MENROLL_E_DEVICE_AUTHENTICATION_ERROR

      -

      User not recognized

      +

      The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.

      80180002

      s:

      Authorization

      MENROLL_E_DEVICE_AUTHORIZATION_ERROR

      -

      User not allowed to enroll

      +

      The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.

      80180003

      s:

      CertificateRequest

      -

      MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

      -

      Failed to get certificate

      +

      MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR

      +

      The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.

      80180004

      s:

      EnrollmentServer

      MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

      - +The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.

      80180005

      a:

      InternalServiceFault

      MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

      -

      The server hit an unexpected issue

      +

      There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.

      80180006

      a:

      InvalidSecurity

      MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

      -

      Cannot parse the security header

      +

      The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.

      80180007

      @@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.

      DeviceCapReached

      MENROLL_E_DEVICECAPREACHED

      -

      User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

      +

      The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.

      80180013

      DeviceNotSupported

      MENROLL_E_DEVICENOTSUPPORTED

      -

      Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

      +

      The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.

      80180014

      NotSupported

      -

      MENROLL_E_NOTSUPPORTED

      -

      Mobile device management generally not supported (would save an admin call)

      +

      MENROLL_E_NOT_SUPPORTED

      +

      Mobile Device Management (MDM) is generally not supported for this device.

      80180015

      NotEligibleToRenew

      MENROLL_E_NOTELIGIBLETORENEW

      -

      Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

      +

      The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.

      80180016

      InMaintenance

      MENROLL_E_INMAINTENANCE

      -

      Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

      +

      The Mobile Device Management (MDM) server states your account is in maintenance, try again later.

      80180017

      UserLicense

      -

      MENROLL_E_USERLICENSE

      -

      License of user is in bad state and blocking the enrollment. The user needs to call the admin.

      +

      MENROLL_E_USER_LICENSE

      +

      There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.

      80180018

      InvalidEnrollmentData

      MENROLL_E_ENROLLMENTDATAINVALID

      -

      The server rejected the enrollment data. The server may not be configured correctly.

      +

      The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.

      80180019

      diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 0b715c1a53..bf9a0bc281 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP -The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. +The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png) +```console +NAPDEF +----NAPAUTHINFO +------AUTHNAME +------AUTHSECRET +------AUTHTYPE +----BEARER +----INTERNET +----LOCAL-ADDR +----LOCAL-ADDRTYPE +----NAME +----NAP-ADDRESS +----NAP-ADDRTYPE +----NAPID +``` -The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. +The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png) +```console +NAPDEF +--NAPID +----NAPAUTHINFO +------AUTHNAME +------AUTHSECRET +------AUTHTYPE +----BEARER +----INTERNET +----LOCAL-ADDR +----LOCAL-ADDRTYPE +----NAME +----NAP-ADDRESS +----NAP-ADDRTYPE +``` **NAPAUTHINFO** Defines a group of authentication settings. @@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration -ELements +Elements Available -

      parm-query

      +

      Parm-query

      Yes

      Note that some GPRS parameters will not necessarily contain the exact same value as was set.

      -

      noparm

      +

      Noparm

      Yes

      -

      nocharacteristic

      +

      Nocharacteristic

      Yes

      -

      characteristic-query

      +

      Characteristic-query

      Yes

      diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 272489e4a8..c21357f4a9 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1,6 +1,6 @@ --- title: What's new in MDM enrollment and management -description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. +description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. MS-HAID: - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' @@ -18,215 +18,24 @@ ms.date: 10/20/2020 # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). -## What’s new in MDM for Windows 10, version 20H2 + +## What’s new in MDM for Windows 11, version 21H2 |New or updated article|Description| |-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
      - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
      - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
      - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
      - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
      - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
      - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
      - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
      - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | -| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
      -Properties/SleepMode | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
      - Settings/AllowWindowsDefenderApplicationGuard | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 11, version 21H2:
      - NewsAndInterests/AllowNewsAndInterests
      - Experiences/ConfigureChatIcon
      - Start/ConfigureStartPins
      - Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
      - Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable | +| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node:
      - Provider/ProviderID/ConfigLock/Lock
      - Provider/ProviderID/ConfigLock/UnlockDuration
      - Provider/ProviderID/ConfigLock/SecuredCore | -## What’s new in MDM for Windows 10, version 2004 - -| New or updated article | Description | -|-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
      - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
      - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
      - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
      - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
      - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
      - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
      - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
      - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
      - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)

      Updated the following policy in Windows 10, version 2004:
      - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)

      Deprecated the following policies in Windows 10, version 2004:
      - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
      - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
      - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) | -| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
      - Ext/Microsoft/DNSComputerName | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
      - IsStub | -| [SUPL CSP](supl-csp.md) | Added the following new node:
      - FullVersion | - -## What’s new in MDM for Windows 10, version 1909 - -| New or updated article | Description | -|-----|-----| -| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
      - ConfigureRecoveryPasswordRotation
      - RotateRecoveryPasswords
      - RotateRecoveryPasswordsStatus
      - RotateRecoveryPasswordsRequestID| - -## What’s new in MDM for Windows 10, version 1903 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
      - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
      - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
      - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
      - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
      - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
      - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
      - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
      - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
      - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
      - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
      - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
      - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
      - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
      - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
      - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
      - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
      - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
      - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
      - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
      - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
      - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
      - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
      - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
      - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
      - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
      - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
      - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
      - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
      - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
      - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
      - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
      - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
      - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
      - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
      - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
      - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
      - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
      - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
      - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
      - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
      - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
      - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| -| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | -| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | -| [Defender CSP](defender-csp.md) | Added the following new nodes:
      - Health/TamperProtectionEnabled
      - Health/IsVirtualMachine
      - Configuration
      - Configuration/TamperProtection
      - Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](diagnosticlog-csp.md)
      [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
      Added the new 1.4 version of the DDF.
      Added the following new nodes:
      - Policy
      - Policy/Channels
      - Policy/Channels/ChannelName
      - Policy/Channels/ChannelName/MaximumFileSize
      - Policy/Channels/ChannelName/SDDL
      - Policy/Channels/ChannelName/ActionWhenFull
      - Policy/Channels/ChannelName/Enabled
      - DiagnosticArchive
      - DiagnosticArchive/ArchiveDefinition
      - DiagnosticArchive/ArchiveResults | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. | -| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
      - SecurityKey
      - SecurityKey/UseSecurityKeyForSignin | - - -## What’s new in MDM for Windows 10, version 1809 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
      - ApplicationManagement/LaunchAppAfterLogOn
      - ApplicationManagement/ScheduleForceRestartForUpdateFailures
      - Authentication/EnableFastFirstSignIn (Preview mode only)
      - Authentication/EnableWebSignIn (Preview mode only)
      - Authentication/PreferredAadTenantDomainName
      - Browser/AllowFullScreenMode
      - Browser/AllowPrelaunch
      - Browser/AllowPrinting
      - Browser/AllowSavingHistory
      - Browser/AllowSideloadingOfExtensions
      - Browser/AllowTabPreloading
      - Browser/AllowWebContentOnNewTabPage
      - Browser/ConfigureFavoritesBar
      - Browser/ConfigureHomeButton
      - Browser/ConfigureKioskMode
      - Browser/ConfigureKioskResetAfterIdleTimeout
      - Browser/ConfigureOpenMicrosoftEdgeWith
      - Browser/ConfigureTelemetryForMicrosoft365Analytics
      - Browser/PreventCertErrorOverrides
      - Browser/SetHomeButtonURL
      - Browser/SetNewTabPageURL
      - Browser/UnlockHomeButton
      - Defender/CheckForSignaturesBeforeRunningScan
      - Defender/DisableCatchupFullScan
      - Defender/DisableCatchupQuickScan
      - Defender/EnableLowCPUPriority
      - Defender/SignatureUpdateFallbackOrder
      - Defender/SignatureUpdateFileSharesSources
      - DeviceGuard/ConfigureSystemGuardLaunch
      - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
      - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
      - DeviceInstallation/PreventDeviceMetadataFromNetwork
      - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
      - DmaGuard/DeviceEnumerationPolicy
      - Experience/AllowClipboardHistory
      - Experience/DoNotSyncBrowserSettings
      - Experience/PreventUsersFromTurningOnBrowserSyncing
      - Kerberos/UPNNameHints
      - Privacy/AllowCrossDeviceClipboard
      - Privacy/DisablePrivacyExperience
      - Privacy/UploadUserActivities
      - Security/RecoveryEnvironmentAuthentication
      - System/AllowDeviceNameInDiagnosticData
      - System/ConfigureMicrosoft365UploadEndpoint
      - System/DisableDeviceDelete
      - System/DisableDiagnosticDataViewer
      - Storage/RemovableDiskDenyWriteAccess
      - TaskManager/AllowEndTask
      - Update/DisableWUfBSafeguards
      - Update/EngagedRestartDeadlineForFeatureUpdates
      - Update/EngagedRestartSnoozeScheduleForFeatureUpdates
      - Update/EngagedRestartTransitionScheduleForFeatureUpdates
      - Update/SetDisablePauseUXAccess
      - Update/SetDisableUXWUAccess
      - WindowsDefenderSecurityCenter/DisableClearTpmButton
      - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
      - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
      - WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. | -| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. | -| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. | -| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | -| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | -| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | -| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. | -| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | -| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | -| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. | -| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. | - - -## What’s new in MDM for Windows 10, version 1803 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1803:
      - ApplicationDefaults/EnableAppUriHandlers
      - ApplicationManagement/MSIAllowUserControlOverInstall
      - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
      - Bluetooth/AllowPromptedProximalConnections
      - Browser/AllowConfigurationUpdateForBooksLibrary
      - Browser/AlwaysEnableBooksLibrary
      - Browser/EnableExtendedBooksTelemetry
      - Browser/UseSharedFolderForBooks
      - Connectivity/AllowPhonePCLinking
      - DeliveryOptimization/DODelayBackgroundDownloadFromHttp
      - DeliveryOptimization/DODelayForegroundDownloadFromHttp
      - DeliveryOptimization/DOGroupIdSource
      - DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
      - DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
      - DeliveryOptimization/DORestrictPeerSelectionBy
      - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
      - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
      - Display/DisablePerProcessDpiForApps
      - Display/EnablePerProcessDpi
      - Display/EnablePerProcessDpiForApps
      - Experience/AllowWindowsSpotlightOnSettings
      - KioskBrowser/BlockedUrlExceptions
      - KioskBrowser/BlockedUrls
      - KioskBrowser/DefaultURL
      - KioskBrowser/EnableEndSessionButton
      - KioskBrowser/EnableHomeButton
      - KioskBrowser/EnableNavigationButtons
      - KioskBrowser/RestartOnIdleTime
      - LanmanWorkstation/EnableInsecureGuestLogons
      - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
      - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
      - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
      - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
      - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
      - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
      - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
      - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
      - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
      - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
      - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
      - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
      - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
      - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
      - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
      - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
      - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
      - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
      - Notifications/DisallowCloudNotification
      - RestrictedGroups/ConfigureGroupMembership
      - Search/AllowCortanaInAAD
      - Search/DoNotUseWebResults
      - Security/ConfigureWindowsPasswords
      - Start/DisableContextMenus
      - System/FeedbackHubAlwaysSaveDiagnosticsLocally
      - SystemServices/ConfigureHomeGroupListenerServiceStartupMode
      - SystemServices/ConfigureHomeGroupProviderServiceStartupMode
      - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
      - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
      - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
      - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
      - TaskScheduler/EnableXboxGameSaveTask
      - TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
      - TextInput/ForceTouchKeyboardDockedState
      - TextInput/TouchKeyboardDictationButtonAvailability
      - TextInput/TouchKeyboardEmojiButtonAvailability
      - TextInput/TouchKeyboardFullModeAvailability
      - TextInput/TouchKeyboardHandwritingModeAvailability
      - TextInput/TouchKeyboardNarrowModeAvailability
      - TextInput/TouchKeyboardSplitModeAvailability
      - TextInput/TouchKeyboardWideModeAvailability
      - Update/ConfigureFeatureUpdateUninstallPeriod
      - Update/TargetReleaseVersion
      - UserRights/AccessCredentialManagerAsTrustedCaller
      - UserRights/AccessFromNetwork
      - UserRights/ActAsPartOfTheOperatingSystem
      - UserRights/AllowLocalLogOn
      - UserRights/BackupFilesAndDirectories
      - UserRights/ChangeSystemTime
      - UserRights/CreateGlobalObjects
      - UserRights/CreatePageFile
      - UserRights/CreatePermanentSharedObjects
      - UserRights/CreateSymbolicLinks
      - UserRights/CreateToken
      - UserRights/DebugPrograms
      - UserRights/DenyAccessFromNetwork
      - UserRights/DenyLocalLogOn
      - UserRights/DenyRemoteDesktopServicesLogOn
      - UserRights/EnableDelegation
      - UserRights/GenerateSecurityAudits
      - UserRights/ImpersonateClient
      - UserRights/IncreaseSchedulingPriority
      - UserRights/LoadUnloadDeviceDrivers
      - UserRights/LockMemory
      - UserRights/ManageAuditingAndSecurityLog
      - UserRights/ManageVolume
      - UserRights/ModifyFirmwareEnvironment
      - UserRights/ModifyObjectLabel
      - UserRights/ProfileSingleProcess
      - UserRights/RemoteShutdown
      - UserRights/RestoreFilesAndDirectories
      - UserRights/TakeOwnership
      - WindowsDefenderSecurityCenter/DisableAccountProtectionUI
      - WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
      - WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
      - WindowsDefenderSecurityCenter/HideSecureBoot
      - WindowsDefenderSecurityCenter/HideTPMTroubleshooting
      - Security/RequireDeviceEncryption - updated to show it is supported in desktop. | -| [Accounts CSP](accounts-csp.md) | Added a new CSP in Windows 10, version 1803. | -| [AccountManagement CSP](accountmanagement-csp.md) | Added a new CSP in Windows 10, version 1803. | -| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following nodes in Windows 10, version 1803:
      - Status
      - ShellLauncher
      - StatusConfiguration

      Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. | -| [BitLocker CSP](bitlocker-csp.md) | Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. | -| [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) | Added the DDF download of Windows 10, version 1803 configuration service providers. | -| [Defender CSP](defender-csp.md) | Added new node (OfflineScan) in Windows 10, version 1803. | -| [DeviceStatus CSP](devicestatus-csp.md) | Added the following node in Windows 10, version 1803:
      - OS/Mode | -| [DMClient CSP](dmclient-csp.md) | Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
      - AADSendDeviceToken
      - BlockInStatusPage
      - AllowCollectLogsButton
      - CustomErrorText
      - SkipDeviceStatusPage
      - SkipUserStatusPage | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node in Windows 10, version 1803:
      - MaintainProcessorArchitectureOnUpdate | -| [eUICCs CSP](euiccs-csp.md) | Added the following node in Windows 10, version 1803:
      - IsEnabled | -| [MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) | MDM Migration Analysis Too (MMAT)
      Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. | -| [MultiSIM CSP](multisim-csp.md) | Added a new CSP in Windows 10, version 1803. | -| [NetworkProxy CSP](networkproxy-csp.md) | Added the following node in Windows 10, version 1803:
      - ProxySettingsPerUser | -| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | Added the following node in Windows 10, version 1803:
      - UntrustedCertificates | -| [UEFI CSP](uefi-csp.md) | Added a new CSP in Windows 10, version 1803. | -| [Update CSP](update-csp.md) | Added the following nodes in Windows 10, version 1803:
      - Rollback
      - Rollback/FeatureUpdate
      - Rollback/QualityUpdateStatus
      - Rollback/FeatureUpdateStatus | - -## What’s new in MDM for Windows 10, version 1709 - -| New or updated article | Description | -|-----|-----| -| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
      - UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
      -ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
      - DomainName - fully qualified domain name if the device is domain-joined. | -| [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. | -| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
      [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. | -| [CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md) | In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. | -| [VPNv2 CSP](vpnv2-csp.md) | Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709. | -| [DeviceStatus CSP](devicestatus-csp.md) | Added the following settings in Windows 10, version 1709:
      - DeviceStatus/DomainName
      - DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
      - DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
      - DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus | -| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following setting in Windows 10, version 1709:
      - Configuration
      Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro. | -| [DeviceManageability CSP](devicemanageability-csp.md) | Added the following settings in Windows 10, version 1709:
      - Provider/_ProviderID_/ConfigInfo
      - Provider/_ProviderID_/EnrollmentInfo | -| [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709:
      - Installation/CurrentStatus | -| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. | -| [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. | -| [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) | Added new policies. | -| Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. | -| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
      - User sees installation progress of critical policies during MDM enrollment.
      - User knows what policies, profiles, apps MDM has configured
      - IT helpdesk can get detailed MDM diagnostic information using client tools
      For details, see [Managing connection](./mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](./mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs).| -| [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. | -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709:
      - Authentication/AllowAadPasswordReset
      - Authentication/AllowFidoDeviceSignon
      - Browser/LockdownFavorites
      - Browser/ProvisionFavorites
      - Cellular/LetAppsAccessCellularData
      - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
      - CredentialProviders/DisableAutomaticReDeploymentCredentials
      - DeviceGuard/EnableVirtualizationBasedSecurity
      - DeviceGuard/RequirePlatformSecurityFeatures
      - DeviceGuard/LsaCfgFlags
      - DeviceLock/MinimumPasswordAge
      - ExploitGuard/ExploitProtectionSettings
      - Games/AllowAdvancedGamingServices
      - Handwriting/PanelDefaultModeDocked
      - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
      - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
      - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
      - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
      - LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
      - LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
      - LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
      - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
      - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
      - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
      - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
      - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
      - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
      - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
      - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
      - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
      - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
      - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
      - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
      - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
      - Power/DisplayOffTimeoutOnBattery
      - Power/DisplayOffTimeoutPluggedIn
      - Power/HibernateTimeoutOnBattery
      - Power/HibernateTimeoutPluggedIn
      - Power/StandbyTimeoutOnBattery
      - Power/StandbyTimeoutPluggedIn
      - Privacy/EnableActivityFeed
      - Privacy/PublishUserActivities
      - Defender/AttackSurfaceReductionOnlyExclusions
      - Defender/AttackSurfaceReductionRules
      - Defender/CloudBlockLevel
      - Defender/CloudExtendedTimeout
      - Defender/ControlledFolderAccessAllowedApplications
      - Defender/ControlledFolderAccessProtectedFolders
      - Defender/EnableControlledFolderAccess
      - Defender/EnableNetworkProtection
      - Education/DefaultPrinterName
      - Education/PreventAddingNewPrinters
      - Education/PrinterNames
      - Search/AllowCloudSearch
      - Security/ClearTPMIfNotReady
      - Settings/AllowOnlineTips
      - Start/HidePeopleBar
      - Storage/AllowDiskHealthModelUpdates
      - System/DisableEnterpriseAuthProxy
      - System/LimitEnhancedDiagnosticDataWindowsAnalytics
      - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
      - Update/DisableDualScan
      - Update/ManagePreviewBuilds
      - Update/ScheduledInstallEveryWeek
      - Update/ScheduledInstallFirstWeek
      - Update/ScheduledInstallFourthWeek
      - Update/ScheduledInstallSecondWeek
      - Update/ScheduledInstallThirdWeek
      - WindowsDefenderSecurityCenter/CompanyName
      - WindowsDefenderSecurityCenter/DisableAppBrowserUI
      - WindowsDefenderSecurityCenter/DisableEnhancedNotifications
      - WindowsDefenderSecurityCenter/DisableFamilyUI
      - WindowsDefenderSecurityCenter/DisableHealthUI
      - WindowsDefenderSecurityCenter/DisableNetworkUI
      - WindowsDefenderSecurityCenter/DisableNotifications
      - WindowsDefenderSecurityCenter/DisableVirusUI
      - WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
      - WindowsDefenderSecurityCenter/Email
      - WindowsDefenderSecurityCenter/EnableCustomizedToasts
      - WindowsDefenderSecurityCenter/EnableInAppCustomization
      - WindowsDefenderSecurityCenter/Phone
      - WindowsDefenderSecurityCenter/URL
      - WirelessDisplay/AllowMdnsAdvertisement
      - WirelessDisplay/AllowMdnsDiscovery | - - -## What’s new in MDM for Windows 10, version 1703 - -| New or updated article | Description | -|-----|-----| -| [Update CSP](update-csp.md) | Added the following nodes:
      - FailedUpdates/_Failed Update Guid_/RevisionNumber
      - InstalledUpdates/_Installed Update Guid_/RevisionNumber
      - PendingRebootUpdates/_Pending Reboot Update Guid_/RevisionNumber | -| [CM_CellularEntries CSP](cm-cellularentries-csp.md) | To PurposeGroups setting, added the following values:
      - Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
      - Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 | -| [CertificateStore CSP](certificatestore-csp.md) | Added the following setting:
      - My/WSTEP/Renew/RetryAfterExpiryInterval | -| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | Added the following setting:
      - SCEP/UniqueID/Install/AADKeyIdentifierList | -| [DMAcc CSP](dmacc-csp.md) | Added the following setting:
      - AccountUID/EXT/Microsoft/InitiateSession | -| [DMClient CSP](dmclient-csp.md) | Added the following nodes and settings:
      - HWDevID
      - Provider/ProviderID/ManagementServerToUpgradeTo
      - Provider/ProviderID/CustomEnrollmentCompletePage
      - Provider/ProviderID/CustomEnrollmentCompletePage/Title
      - Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
      - Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
      - Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText | -| [CellularSettings CSP](cellularsettings-csp.md)
      [CM_CellularEntries CSP](cm-cellularentries-csp.md)
      [EnterpriseAPN CSP](enterpriseapn-csp.md) | For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. | -| [SecureAssessment CSP](secureassessment-csp.md) | Added the following settings:
      - AllowTextSuggestions
      - RequirePrinting | -| [EnterpriseAPN CSP](enterpriseapn-csp.md) | Added the following setting:
      - Roaming | -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies:
      - Accounts/AllowMicrosoftAccountSignInAssistant
      - ApplicationDefaults/DefaultAssociationsConfiguration
      - Browser/AllowAddressBarDropdown
      - Browser/AllowFlashClickToRun
      - Browser/AllowMicrosoftCompatibilityList
      - Browser/AllowSearchEngineCustomization
      - Browser/ClearBrowsingDataOnExit
      - Browser/ConfigureAdditionalSearchEngines
      - Browser/DisableLockdownOfStartPages
      - Browser/PreventFirstRunPage
      - Browser/PreventLiveTileDataCollection
      - Browser/SetDefaultSearchEngine
      - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
      - Connectivity/AllowConnectedDevices
      - DeliveryOptimization/DOAllowVPNPeerCaching
      - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
      - DeliveryOptimization/DOMinDiskSizeAllowedToPeer
      - DeliveryOptimization/DOMinFileSizeToCache
      - DeliveryOptimization/DOMinRAMAllowedToPeer
      - DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
      - Display/TurnOffGdiDPIScalingForApps
      - Display/TurnOnGdiDPIScalingForApps
      - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
      - EnterpriseCloudPrint/CloudPrintOAuthAuthority
      - EnterpriseCloudPrint/CloudPrintOAuthClientId
      - EnterpriseCloudPrint/CloudPrintResourceId
      - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
      - EnterpriseCloudPrint/MopriaDiscoveryResourceId
      - Experience/AllowFindMyDevice
      - Experience/AllowTailoredExperiencesWithDiagnosticData
      - Experience/AllowWindowsSpotlightOnActionCenter
      - Experience/AllowWindowsSpotlightWindowsWelcomeExperience
      - Location/EnableLocation
      - Messaging/AllowMMS
      - Messaging/AllowRCS
      - Privacy/LetAppsAccessTasks
      - Privacy/LetAppsAccessTasks_ForceAllowTheseApps
      - Privacy/LetAppsAccessTasks_ForceDenyTheseApps
      - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
      - Privacy/LetAppsGetDiagnosticInfo
      - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
      - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
      - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
      - Privacy/LetAppsRunInBackground
      - Privacy/LetAppsRunInBackground_ForceAllowTheseApps
      - Privacy/LetAppsRunInBackground_ForceDenyTheseApps
      - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
      - Settings/ConfigureTaskbarCalendar
      - Settings/PageVisibilityList
      - SmartScreen/EnableAppInstallControl
      - SmartScreen/EnableSmartScreenInShell
      - SmartScreen/PreventOverrideForFilesInShell
      - Start/AllowPinnedFolderDocuments
      - Start/AllowPinnedFolderDownloads
      - Start/AllowPinnedFolderFileExplorer
      - Start/AllowPinnedFolderHomeGroup
      - Start/AllowPinnedFolderMusic
      - Start/AllowPinnedFolderNetwork
      - Start/AllowPinnedFolderPersonalFolder
      - Start/AllowPinnedFolderPictures
      - Start/AllowPinnedFolderSettings
      - Start/AllowPinnedFolderVideos
      - Start/HideAppList
      - Start/HideChangeAccountSettings
      - Start/HideFrequentlyUsedApps
      - Start/HideHibernate
      - Start/HideLock
      - Start/HidePowerButton
      - Start/HideRecentJumplists
      - Start/HideRecentlyAddedApps
      - Start/HideRestart
      - Start/HideShutDown
      - Start/HideSignOut
      - Start/HideSleep
      - Start/HideSwitchAccount
      - Start/HideUserTile
      - Start/ImportEdgeAssets
      - Start/NoPinningToTaskbar
      - System/AllowFontProviders
      - System/DisableOneDriveFileSync
      - TextInput/AllowKeyboardTextSuggestions
      - TimeLanguageSettings/AllowSet24HourClock
      - Update/ActiveHoursMaxRange
      - Update/AutoRestartDeadlinePeriodInDays
      - Update/AutoRestartNotificationSchedule
      - Update/AutoRestartRequiredNotificationDismissal
      - Update/DetectionFrequency
      - Update/EngagedRestartDeadline
      - Update/EngagedRestartSnoozeSchedule
      - Update/EngagedRestartTransitionSchedule
      - Update/IgnoreMOAppDownloadLimit
      - Update/IgnoreMOUpdateDownloadLimit
      - Update/PauseFeatureUpdatesStartTime
      - Update/PauseQualityUpdatesStartTime
      - Update/SetAutoRestartNotificationDisable
      - Update/SetEDURestart
      - WiFi/AllowWiFiDirect
      - WindowsLogon/HideFastUserSwitching
      - WirelessDisplay/AllowProjectionFromPC
      - WirelessDisplay/AllowProjectionFromPCOverInfrastructure
      - WirelessDisplay/AllowProjectionToPCOverInfrastructure
      - WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
      Removed TextInput/AllowLinguisticDataCollection
      Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in IoT Enterprise
      Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.
      Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.
      Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.
      Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. | -| [DevDetail CSP](devdetail-csp.md) | Added the following setting:
      - DeviceHardwareData | -| [CleanPC CSP](cleanpc-csp.md) | Added the new CSP. | -| [DeveloperSetup CSP](developersetup-csp.md) | Added the new CSP. | -| [NetworkProxy CSP](networkproxy-csp.md) | Added the new CSP. | -| [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.

      Added the following setting:
      - AllowWarningForOtherDiskEncryption | -| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
      Added the following settings:
      - RevokeOnMDMHandoff
      - SMBAutoEncryptedFileExtensions | -| [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. | -| [Implement server-side support for mobile application management on Windows](./implement-server-side-mobile-application-management.md) | New mobile application management (MAM) support added in Windows 10, version 1703. | -| [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings:
      - _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
      - _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
      - _TenantId_/Policies/EnablePinRecovery | -| [Office CSP](office-csp.md) | Added the new CSP. | -| [Personalization CSP](personalization-csp.md) | Added the new CSP. | -| [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) | Added the new CSP. | -| [HealthAttestation CSP](healthattestation-csp.md) | Added the following settings:
      - HASEndpoint - added in Windows 10, version 1607, but not documented
      - TpmReadyStatus - added in the March service release of Windows 10, version 1607 | -| [SurfaceHub CSP](surfacehub-csp.md) | Added the following nodes and settings:
      - InBoxApps/SkypeForBusiness
      - InBoxApps/SkypeForBusiness/DomainName
      - InBoxApps/Connect
      - InBoxApps/Connect/AutoLaunch
      - Properties/DefaultVolume
      - Properties/ScreenTimeout
      - Properties/SessionTimeout
      - Properties/SleepTimeout
      - Properties/AllowSessionResume
      - Properties/AllowAutoProxyAuth
      - Properties/DisableSigninSuggestions
      - Properties/DoNotShowMyMeetingsAndFiles | -| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | Added the new CSP. | -| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following setting:
      - ChangeProductKey | -| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | Added the following setting:
      - Configuration/TelemetryReportingFrequency | -| [DMSessionActions CSP](dmsessionactions-csp.md) | Added the new CSP. | -| [SharedPC CSP](dmsessionactions-csp.md) | Added new settings in Windows 10, version 1703:
      - RestrictLocalStorage
      - KioskModeAUMID
      - KioskModeUserTileDisplayText
      - InactiveThreshold
      - MaxPageFileSizeMB
      The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300. | -| [RemoteLock CSP](remotelock-csp.md) | Added following setting:
      - LockAndRecoverPIN | -| [NodeCache CSP](nodecache-csp.md) | Added following settings:
      - ChangedNodesData
      - AutoSetExpectedValue | -| [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. | -| [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703:
      - doWipeProtected | -| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes and properties. | -| [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md) | Added a section describing SyncML examples of various ADMX elements. | -| [Win32 and Desktop Bridge app policy configuration](./win32-and-centennial-app-policy-configuration.md) | New article. | -| [Deploy and configure App-V apps using MDM](./appv-deploy-and-config.md) | Added a new article describing how to deploy and configure App-V apps using MDM. | -| [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607.
      - MSI/UpgradeCode/[Guid] | -| [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703.
      - EnterpriseDataProtection/RetrieveByTimeRange/Type
      - EnterpriseDataProtection/RetrieveByCount/Type | -| [Connect your Windows 10-based device to work using a deep link](./mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
      - Username
      - Servername
      - Accesstoken
      - Deviceidentifier
      - Tenantidentifier
      - Ownership | -| MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S.
      - [Configuration service provider reference](configuration-service-provider-reference.md)
      - [Policy CSP](policy-configuration-service-provider.md) | -| [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. | - -## What’s new in MDM for Windows 10, version 1607 - -| New or updated article | Description | -|-----|-----| -| Sideloading of apps | Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices. | -| [NodeCache CSP](nodecache-csp.md) | The value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache. | -| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | New CSP. | -| [Policy CSP](policy-configuration-service-provider.md) | Removed the following policies:
      - DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      - DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      - DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      - DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      - DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      - DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
      - DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
      - DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
      - DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy
      - DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy
      - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.

      Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:
      - Windows 10 Pro
      - Windows 10 Enterprise
      - Windows 10 Education

      Added the following new policies:
      - AboveLock/AllowCortanaAboveLock
      - ApplicationManagement/DisableStoreOriginatedApps
      - Authentication/AllowSecondaryAuthenticationDevice
      - Bluetooth/AllowPrepairing
      - Browser/AllowExtensions
      - Browser/PreventAccessToAboutFlagsInMicrosoftEdge
      - Browser/ShowMessageWhenOpeningSitesInInternetExplorer
      - DeliveryOptimization/DOAbsoluteMaxCacheSize
      - DeliveryOptimization/DOMaxDownloadBandwidth
      - DeliveryOptimization/DOMinBackgroundQoS
      - DeliveryOptimization/DOModifyCacheDrive
      - DeliveryOptimization/DOMonthlyUploadDataCap
      - DeliveryOptimization/DOPercentageMaxDownloadBandwidth
      - DeviceLock/EnforceLockScreenAndLogonImage
      - DeviceLock/EnforceLockScreenProvider
      - Defender/PUAProtection
      - Experience/AllowThirdPartySuggestionsInWindowsSpotlight
      - Experience/AllowWindowsSpotlight
      - Experience/ConfigureWindowsSpotlightOnLockScreen
      - Experience/DoNotShowFeedbackNotifications
      - Licensing/AllowWindowsEntitlementActivation
      - Licensing/DisallowKMSClientOnlineAVSValidation
      - LockDown/AllowEdgeSwipe
      - Maps/EnableOfflineMapsAutoUpdate
      - Maps/AllowOfflineMapsDownloadOverMeteredConnection
      - Messaging/AllowMessageSync
      - NetworkIsolation/EnterpriseCloudResources
      - NetworkIsolation/EnterpriseInternalProxyServers
      - NetworkIsolation/EnterpriseIPRange
      - NetworkIsolation/EnterpriseIPRangesAreAuthoritative
      - NetworkIsolation/EnterpriseNetworkDomainNames
      - NetworkIsolation/EnterpriseProxyServers
      - NetworkIsolation/EnterpriseProxyServersAreAuthoritative
      - NetworkIsolation/NeutralResources
      - Notifications/DisallowNotificationMirroring
      - Privacy/DisableAdvertisingId
      - Privacy/LetAppsAccessAccountInfo
      - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
      - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
      - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
      - Privacy/LetAppsAccessCalendar
      - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
      - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
      - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
      - Privacy/LetAppsAccessCallHistory
      - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
      - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
      - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
      - Privacy/LetAppsAccessCamera
      - Privacy/LetAppsAccessCamera_ForceAllowTheseApps
      - Privacy/LetAppsAccessCamera_ForceDenyTheseApps
      - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
      - Privacy/LetAppsAccessContacts
      - Privacy/LetAppsAccessContacts_ForceAllowTheseApps
      - Privacy/LetAppsAccessContacts_ForceDenyTheseApps
      - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
      - Privacy/LetAppsAccessEmail
      - Privacy/LetAppsAccessEmail_ForceAllowTheseApps
      - Privacy/LetAppsAccessEmail_ForceDenyTheseApps
      - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
      - Privacy/LetAppsAccessLocation
      - Privacy/LetAppsAccessLocation_ForceAllowTheseApps
      - Privacy/LetAppsAccessLocation_ForceDenyTheseApps
      - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
      - Privacy/LetAppsAccessMessaging
      - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
      - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
      - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
      - Privacy/LetAppsAccessMicrophone
      - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
      - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
      - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
      - Privacy/LetAppsAccessMotion
      - Privacy/LetAppsAccessMotion_ForceAllowTheseApps
      - Privacy/LetAppsAccessMotion_ForceDenyTheseApps
      - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
      - Privacy/LetAppsAccessNotifications
      - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
      - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
      - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
      - Privacy/LetAppsAccessPhone
      - Privacy/LetAppsAccessPhone_ForceAllowTheseApps
      - Privacy/LetAppsAccessPhone_ForceDenyTheseApps
      - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
      - Privacy/LetAppsAccessRadios
      - Privacy/LetAppsAccessRadios_ForceAllowTheseApps
      - Privacy/LetAppsAccessRadios_ForceDenyTheseApps
      - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
      - Privacy/LetAppsAccessTrustedDevices
      - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
      - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
      - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
      - Privacy/LetAppsSyncWithDevices
      - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
      - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
      - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
      - Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
      - Settings/AllowEditDeviceName
      - Speech/AllowSpeechModelUpdate
      - System/TelemetryProxy
      - Update/ActiveHoursStart
      - Update/ActiveHoursEnd
      - Update/AllowMUUpdateService
      - Update/BranchReadinessLevel
      - Update/DeferFeatureUpdatesPeriodInDays
      - Update/DeferQualityUpdatesPeriodInDays
      - Update/ExcludeWUDriversInQualityUpdate
      - Update/PauseFeatureUpdates
      - Update/PauseQualityUpdates
      - Update/SetProxyBehaviorForUpdateDetection
      - Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
      - WindowsInkWorkspace/AllowWindowsInkWorkspace
      - WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
      - WirelessDisplay/AllowProjectionToPC
      - WirelessDisplay/RequirePinForPairing

      Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.

      Updated DeliveryOptimization/DODownloadMode to add new values.

      Updated Experience/AllowCortana description to clarify what each supported value does.

      Updated Security/AntiTheftMode description to clarify what each supported value does. | -| [DMClient CSP](dmclient-csp.md) | Added the following settings:
      - ManagementServerAddressList
      - AADDeviceID
      - EnrollmentType
      - HWDevID
      - CommercialID

      Removed the EnrollmentID setting. | -| [DeviceManageability CSP](devicemanageability-csp.md) | New CSP. | -| [DeviceStatus CSP](devicestatus-csp.md) | Added the following new settings:
      - DeviceStatus/TPM/SpecificationVersion
      - DeviceStatus/OS/Edition
      - DeviceStatus/Antivirus/SignatureStatus
      - DeviceStatus/Antivirus/Status
      - DeviceStatus/Antispyware/SignatureStatus
      - DeviceStatus/Antispyware/Status
      - DeviceStatus/Firewall/Status
      - DeviceStatus/UAC/Status
      - DeviceStatus/Battery/Status
      - DeviceStatus/Battery/EstimatedChargeRemaining
      - DeviceStatus/Battery/EstimatedRuntime | -| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples. | -| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
      Updated the DDF and XSD file sections. | -| [SecureAssessment CSP](secureassessment-csp.md) | New CSP. | -| [DiagnosticLog CSP](diagnosticlog-csp.md)
      [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.3 of the CSP with two new settings.

      Added the new 1.3 version of the DDF.

      Added the following new settings in Windows 10, version 1607
      - DeviceStateData
      - DeviceStateData/MdmConfiguration | -| [Reboot CSP](reboot-csp.md) | New CSP. | -| [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) | New CSP. | -| [VPNv2 CSP](vpnv2-csp.md) | Added the following settings for Windows 10, version 1607:
      - _ProfileName_/RouteList/routeRowId/ExclusionRoute
      - _ProfileName_/DomainNameInformationList/_dniRowId_/AutoTrigger
      - _ProfileName_/DomainNameInformationList/dniRowId/Persistent
      - _ProfileName_/ProfileXML
      - _ProfileName_/DeviceCompliance/Enabled
      - _ProfileName_/DeviceCompliance/Sso
      - _ProfileName_/DeviceCompliance/Sso/Enabled
      - _ProfileName_/DeviceCompliance/Sso/IssuerHash
      - _ProfileName_/DeviceCompliance/Sso/Eku
      - _ProfileName_/NativeProfile/CryptographySuite
      - _ProfileName_/NativeProfile/CryptographySuite/AuthenticationTransformConstants
      - _ProfileName_/NativeProfile/CryptographySuite/CipherTransformConstants
      - _ProfileName_/NativeProfile/CryptographySuite/EncryptionMethod
      - _ProfileName_/NativeProfile/CryptographySuite/IntegrityCheckMethod
      - _ProfileName_/NativeProfile/CryptographySuite/DHGroup
      - _ProfileName_/NativeProfile/CryptographySuite/PfsGroup
      - _ProfileName_/NativeProfile/L2tpPsk | -| [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. | -| [SharedPC CSP](sharedpc-csp.md) | New CSP. | -| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. | -| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes for Windows 10, version 1607. | -| [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".

      Completely updated enrollment procedures and screenshots. | -| [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
      [UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607:
      - NextSession/HORMEnabled | -| [CertificateStore CSP](certificatestore-csp.md)
      [CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607:
      - My/WSTEP/Renew/LastRenewalAttemptTime
      - My/WSTEP/Renew/RenewNow | -| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following new node and settings in Windows 10, version 1607, but not documented:
      - Subscriptions
      - Subscriptions/SubscriptionId
      - Subscriptions/SubscriptionId/Status
      - Subscriptions/SubscriptionId/Name | -| [WiFi CSP](wifi-csp.md) | Deprecated the following node in Windows 10, version 1607:
      - DisableInternetConnectivityChecks | - -## What’s new in MDM for Windows 10, version 1511 - -| New or updated article | Description | -|-----|-----| -| New configuration service providers added in Windows 10, version 1511 | - [AllJoynManagement CSP](alljoynmanagement-csp.md)
      - [Maps CSP](maps-csp.md)
      - [Reporting CSP](reporting-csp.md)
      - [SurfaceHub CSP](surfacehub-csp.md)
      - [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) | -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings:
      - ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
      - Bluetooth/ServicesAllowedList
      - DataProtection/AllowAzureRMSForEDP
      - DataProtection/RevokeOnUnenroll
      - DeviceLock/DevicePasswordExpiration
      - DeviceLock/DevicePasswordHistory
      - TextInput/AllowInputPanel
      - Update/PauseDeferrals
      - Update/RequireDeferUpdate
      - Update/RequireUpdateApproval

      Updated the following policy settings:
      - System/AllowLocation
      - Update/RequireDeferUpgrade

      Deprecated the following policy settings:
      - TextInput/AllowKoreanExtendedHanja
      - WiFi/AllowWiFiHotSpotReporting | -| Management tool for the Microsoft Store for Business | New articles. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. | -| Custom header for generic alert | The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format: `MDM-GenericAlert: `

      If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). | -| Alert message for slow client response | When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.

      To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md). | -| [DMClient CSP](dmclient-csp.md) | Added a new node EnableOmaDmKeepAliveMessage to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs. | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new nodes:
      - AppManagement/GetInventoryQuery
      - AppManagement/GetInventoryResults
      - .../_PackageFamilyName_/AppSettingPolicy/_SettingValue_
      - AppLicenses/StoreLicenses/_LicenseID_/LicenseCategory
      - AppLicenses/StoreLicenses/_LicenseID_/LicenseUsage
      - AppLicenses/StoreLicenses/_LicenseID_/RequesterID
      - AppLicenses/StoreLicenses/_LicenseID_/GetLicenseFromStore | -| [EnterpriseExt CSP](enterpriseext-csp.md) | Added the following new nodes:
      - DeviceCustomData (CustomID, CustomeString)
      - Brightness (Default, MaxAuto)
      - LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount) | -| [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) | Added the OemProfile node. -| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
      - TenantId/Policies/PINComplexity/History
      - TenantId/Policies/PINComplexity/Expiration
      - TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
      - Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
      - Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT) | -| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | The following updates are done to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md):
      - In AssignedAccessXML node, added new page settings and quick action settings.
      - In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
      - Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) article. | -| [DevDetail CSP](devdetail-csp.md) | The following updates are done to [DevDetail CSP](devdetail-csp.md):
      - Added TotalStore and TotalRAM settings.
      - Added support for Replace command for the DeviceName setting. | -| Handling large objects | Added support for the client to handle uploading of large objects to the server. | ## Breaking changes and known issues ### Get command inside an atomic command is not supported -In Windows 10, a Get command inside an atomic command is not supported. This was allowed in Windows Phone 8 and Windows Phone 8.1. - -### Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10 - -During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret. - -After upgrading to Windows 10, you should call MDM\_WNSConfiguration class to recreate the notification channel URI. +In Windows 10 and Windows 11, a Get command inside an atomic command is not supported. ### Apps installed using WMI classes are not removed @@ -234,17 +43,17 @@ Applications installed using WMI classes are not removed when the MDM account is ### Passing CDATA in SyncML does not work -Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10. It worked in Windows Phone 8. +Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11. ### SSL settings in IIS server for SCEP must be set to "Ignore" -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine. +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. ![ssl settings.](images/ssl-settings.png) -### MDM enrollment fails on the mobile device when traffic is going through proxy +### MDM enrollment fails on the Windows device when traffic is going through proxy -When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network. +When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network. ### Server-initiated unenrollment failure @@ -254,41 +63,13 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act ### Certificates causing issues with Wi-Fi and VPN -Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. -### Version information for mobile devices +### Version information for Windows 11 -The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**. +The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**. -### Upgrading Windows Phone 8.1 devices with app allow-listing using ApplicationRestriction policy has issues - -- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. - - Here's additional guidance for the upgrade process: - - - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). - - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher rule if you are using it. - - In the SyncML, you must use lowercase product ID. - - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. - - -- Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />. - - To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list. - -- Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list. - - No workaround is available at this time. An OS update to fix this issue is coming soon. - -### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218 - -Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework ID to your list of allowed apps. - -```xml - -``` - -### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile +### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. @@ -304,25 +85,25 @@ EAP XML must be updated with relevant information for your environment This can - For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. -For information about EAP Settings, see +For information about EAP Settings, see . -For information about generating an EAP XML, see [EAP configuration](eap-configuration.md) +For information about generating an EAP XML, see [EAP configuration](eap-configuration.md). -For more information about extended key usage, see +For more information about extended key usage, see . -For information about adding extended key usage (EKU) to a certificate, see +For information about adding extended key usage (EKU) to a certificate, see . The following list describes the prerequisites for a certificate to be used with EAP: - The certificate must have at least one of the following EKU (Extended Key Usage) properties: - - Client Authentication - - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2 - - Any Purpose + - Client Authentication. + - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. + - Any Purpose. - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering. - - All Purpose + - All Purpose. - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. -- The user or the computer certificate on the client chains to a trusted root CA +- The user or the computer certificate on the client chains to a trusted root CA. - The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. - The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. - The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. @@ -436,40 +217,42 @@ The following XML sample explains the properties for the EAP TLS XML including c Alternatively you can use the following procedure to create an EAP Configuration XML. -1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article. +1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md). + 2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) - ![vpn selfhost properties window.](images/certfiltering1.png) + :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. 3. Click the **Properties** button underneath the drop down menu. + 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window.](images/certfiltering2.png) + :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: + 5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate selection window.](images/certfiltering3.png) + :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: + 6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. + 7. Close the rasphone dialog box. -8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering. + +8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). -### Remote PIN reset not supported in Azure Active Directory joined mobile devices - -In Windows 10 Mobile, remote PIN reset in Azure AD joined devices are not supported. Devices are wiped when you issue a remote PIN reset command using the RemoteLock CSP. - ### MDM client will immediately check-in with the MDM server after client renews WNS channel URI -Starting in Windows 10, after the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. +After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. -### User provisioning failure in Azure Active Directory joined Windows 10 PC +### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices -In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. +In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. ### Requirements to note for VPN certificates also used for Kerberos Authentication @@ -479,30 +262,89 @@ If you want to use the certificate used for VPN authentication also for Kerberos The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. + ## Frequently Asked Questions -### **Can there be more than one MDM server to enroll and manage devices in Windows 10?** +### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? No. Only one MDM is allowed. -### **How do I set the maximum number of Azure Active Directory joined devices per user?** +### How do I set the maximum number of Azure Active Directory joined devices per user? 1. Login to the portal as tenant admin: https://manage.windowsazure.com. 2. Click Active Directory on the left pane. 3. Choose your tenant. 4. Click **Configure**. 5. Set quota to unlimited. - ![aad maximum joined devices.](images/faq-max-devices.png) + :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png"::: -### **What is dmwappushsvc?** +### What is dmwappushsvc? Entry | Description --------------- | -------------------- -What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.| + + +## What’s new in MDM for Windows 10, version 20H2 + +|New or updated article|Description| +|-----|-----| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
      - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
      - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
      - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
      - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
      - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
      - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
      - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
      - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
      - Properties/SleepMode | +| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
      - Settings/AllowWindowsDefenderApplicationGuard | + +## What’s new in MDM for Windows 10, version 2004 + +| New or updated article | Description | +|-----|-----| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
      - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
      - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
      - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
      - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
      - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
      - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
      - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
      - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
      - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)

      Updated the following policy in Windows 10, version 2004:
      - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)

      Deprecated the following policies in Windows 10, version 2004:
      - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
      - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
      - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) | +| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
      - Ext/Microsoft/DNSComputerName | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
      - IsStub | +| [SUPL CSP](supl-csp.md) | Added the following new node:
      - FullVersion | + +## What’s new in MDM for Windows 10, version 1909 + +| New or updated article | Description | +|-----|-----| +| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
      - ConfigureRecoveryPasswordRotation
      - RotateRecoveryPasswords
      - RotateRecoveryPasswordsStatus
      - RotateRecoveryPasswordsRequestID| + +## What’s new in MDM for Windows 10, version 1903 + +| New or updated article | Description | +|-----|-----| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
      - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
      - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
      - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
      - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
      - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
      - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
      - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
      - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
      - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
      - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
      - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
      - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
      - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
      - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
      - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
      - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
      - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
      - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
      - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
      - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
      - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
      - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
      - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
      - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
      - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
      - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
      - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
      - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
      - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
      - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
      - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
      - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
      - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
      - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
      - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
      - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
      - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
      - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
      - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
      - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
      - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
      - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| +| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | +| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | +| [Defender CSP](defender-csp.md) | Added the following new nodes:
      - Health/TamperProtectionEnabled
      - Health/IsVirtualMachine
      - Configuration
      - Configuration/TamperProtection
      - Configuration/EnableFileHashComputation | +| [DiagnosticLog CSP](diagnosticlog-csp.md)
      [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
      Added the new 1.4 version of the DDF.
      Added the following new nodes:
      - Policy
      - Policy/Channels
      - Policy/Channels/ChannelName
      - Policy/Channels/ChannelName/MaximumFileSize
      - Policy/Channels/ChannelName/SDDL
      - Policy/Channels/ChannelName/ActionWhenFull
      - Policy/Channels/ChannelName/Enabled
      - DiagnosticArchive
      - DiagnosticArchive/ArchiveDefinition
      - DiagnosticArchive/ArchiveResults | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. | +| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
      - SecurityKey
      - SecurityKey/UseSecurityKeyForSignin | + + +## What’s new in MDM for Windows 10, version 1809 + +| New or updated article | Description | +|-----|-----| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
      - ApplicationManagement/LaunchAppAfterLogOn
      - ApplicationManagement/ScheduleForceRestartForUpdateFailures
      - Authentication/EnableFastFirstSignIn (Preview mode only)
      - Authentication/EnableWebSignIn (Preview mode only)
      - Authentication/PreferredAadTenantDomainName
      - Browser/AllowFullScreenMode
      - Browser/AllowPrelaunch
      - Browser/AllowPrinting
      - Browser/AllowSavingHistory
      - Browser/AllowSideloadingOfExtensions
      - Browser/AllowTabPreloading
      - Browser/AllowWebContentOnNewTabPage
      - Browser/ConfigureFavoritesBar
      - Browser/ConfigureHomeButton
      - Browser/ConfigureKioskMode
      - Browser/ConfigureKioskResetAfterIdleTimeout
      - Browser/ConfigureOpenMicrosoftEdgeWith
      - Browser/ConfigureTelemetryForMicrosoft365Analytics
      - Browser/PreventCertErrorOverrides
      - Browser/SetHomeButtonURL
      - Browser/SetNewTabPageURL
      - Browser/UnlockHomeButton
      - Defender/CheckForSignaturesBeforeRunningScan
      - Defender/DisableCatchupFullScan
      - Defender/DisableCatchupQuickScan
      - Defender/EnableLowCPUPriority
      - Defender/SignatureUpdateFallbackOrder
      - Defender/SignatureUpdateFileSharesSources
      - DeviceGuard/ConfigureSystemGuardLaunch
      - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
      - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
      - DeviceInstallation/PreventDeviceMetadataFromNetwork
      - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
      - DmaGuard/DeviceEnumerationPolicy
      - Experience/AllowClipboardHistory
      - Experience/DoNotSyncBrowserSettings
      - Experience/PreventUsersFromTurningOnBrowserSyncing
      - Kerberos/UPNNameHints
      - Privacy/AllowCrossDeviceClipboard
      - Privacy/DisablePrivacyExperience
      - Privacy/UploadUserActivities
      - Security/RecoveryEnvironmentAuthentication
      - System/AllowDeviceNameInDiagnosticData
      - System/ConfigureMicrosoft365UploadEndpoint
      - System/DisableDeviceDelete
      - System/DisableDiagnosticDataViewer
      - Storage/RemovableDiskDenyWriteAccess
      - TaskManager/AllowEndTask
      - Update/DisableWUfBSafeguards
      - Update/EngagedRestartDeadlineForFeatureUpdates
      - Update/EngagedRestartSnoozeScheduleForFeatureUpdates
      - Update/EngagedRestartTransitionScheduleForFeatureUpdates
      - Update/SetDisablePauseUXAccess
      - Update/SetDisableUXWUAccess
      - WindowsDefenderSecurityCenter/DisableClearTpmButton
      - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
      - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
      - WindowsLogon/DontDisplayNetworkSelectionUI | +| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. | +| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. | +| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. | +| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | +| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | +| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | +| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. | +| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | +| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | +| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | +| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. | +| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. | + + ## Change history for MDM documentation -To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). \ No newline at end of file +To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 84ff8f5e34..028da43967 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows   ### User configuration diagram -The following diagram shows the PassportForWork configuration service provider in tree format. +The following shows the PassportForWork configuration service provider in tree format. -![passportforwork csp.](images/provisioning-csp-passportforwork.png) +```console +./User/Vendor/MSFT +PassportForWork +-------TenantId +----------Policies +-------------UsePassportForWork +-------------RequireSecurityDevice +-------------EnablePinRecovery +-------------PINComplexity +----------------MinimumPINLength +----------------MaximumPINLength +----------------UppercaseLetters +----------------LowercaseLetters +----------------SpecialCharecters +----------------Digits +----------------History +----------------Expiration +``` ### Device configuration diagram -The following diagram shows the PassportForWork configuration service provider in tree format. +The following shows the PassportForWork configuration service provider in tree format. -![passportforwork diagram.](images/provisioning-csp-passportforwork2.png) +```console +./Device/Vendor/MSFT +PassportForWork +-------TenantId +----------Policies +-------------UsePassportForWork +-------------RequireSecurityDevice +-------------ExcludeSecurityDevices +----------------TPM12 +-------------EnablePinRecovery +-------------UserCertificateForOnPremAuth +-------------PINComplexity +----------------MinimumPINLength +----------------MaximumPINLength +----------------UppercaseLetters +----------------LowercaseLetters +----------------SpecialCharacters +----------------Digits +----------------History +----------------Expiration +-------------Remote +----------------UseRemotePassport +-------------UseHelloCertificatesAsSmartCardCertificates +-------UseBiometrics +-------Biometrics +----------UseBiometrics +----------FacialFeatureUse +-------DeviceUnlock +----------GroupA +----------GroupB +----------Plugins +-------DynamicLock +----------DynamicLock +----------Plugins +-------SecurityKey +----------UseSecurityKeyForSignin +``` **PassportForWork** Root node for PassportForWork configuration service provider. diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0897f1666a..6256ffe15a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -33,6 +33,10 @@ ms.date: 10/08/2020 - [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices) - [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo) - [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage) +- [ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy) +- [ADMX_AdmPwd/POL_AdmPwd_Enabled](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled) +- [ADMX_AdmPwd/POL_AdmPwd_AdminName](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname) +- [ADMX_AdmPwd/POL_AdmPwd](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd) - [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach) - [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage) - [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry) @@ -167,6 +171,15 @@ ms.date: 10/08/2020 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) +- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) +- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) +- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) +- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) +- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) +- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) +- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) +- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) +- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) - [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) - [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) @@ -404,6 +417,9 @@ ms.date: 10/08/2020 - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) +- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) +- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) +- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) @@ -646,6 +662,10 @@ ms.date: 10/08/2020 - [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy) - [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) - [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) +- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1) +- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2) +- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1) +- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2) - [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) - [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy) - [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy) @@ -676,6 +696,7 @@ ms.date: 10/08/2020 - [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting) - [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder) - [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure) +- [ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy) - [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) - [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) - [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes) @@ -799,6 +820,13 @@ ms.date: 10/08/2020 - [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork) - [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1) - [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2) +- [ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy) +- [ADMX_pca/DetectDeprecatedComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy) +- [ADMX_pca/DetectInstallFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy) +- [ADMX_pca/DetectUndetectedInstallersPolicy](./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy) +- [ADMX_pca/DetectUpdateFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy) +- [ADMX_pca/DisablePcaUIPolicy](./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy) +- [ADMX_pca/DetectBlockedDriversPolicy](./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy) - [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache) - [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed) - [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted) @@ -808,6 +836,8 @@ ms.date: 10/08/2020 - [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent) - [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage) - [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading) +- [ADMX_PenTraining/PenTrainingOff_1](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1) +- [ADMX_PenTraining/PenTrainingOff_2](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) @@ -841,6 +871,14 @@ ms.date: 10/08/2020 - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) +- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1) +- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2) +- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1) +- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2) +- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1) +- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2) +- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1) +- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2) - [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) - [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) - [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) @@ -941,12 +979,17 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) +- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) +- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) +- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) +- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) +- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) @@ -960,11 +1003,10 @@ ms.date: 10/08/2020 - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing) -- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) -- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) - [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps) -- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) -- [ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn](./policy-csp-admx-skydrive.md#admx-skydrive-preventnetworktrafficpreusersignin) +- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) +- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) +- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps) - [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku) - [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock) - [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys) @@ -1052,6 +1094,8 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) - [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) +- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) +- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -1087,9 +1131,15 @@ ms.date: 10/08/2020 - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) +- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1) +- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2) +- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1) +- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2) - [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name) - [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name) - [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name) @@ -1241,9 +1291,10 @@ ms.date: 10/08/2020 - [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) - [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) - [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) +- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy) +- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy) - [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) - [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) -- [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) - [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) @@ -1318,10 +1369,6 @@ ms.date: 10/08/2020 - [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) - [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) - [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) -- [ADMX_WindowsFileProtection/WFPShowProgress](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpshowprogress) -- [ADMX_WindowsFileProtection/WFPQuota](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpquota) -- [ADMX_WindowsFileProtection/WFPScan](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpscan) -- [ADMX_WindowsFileProtection/WFPDllCacheDir](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpdllcachedir) - [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) - [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) - [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) @@ -1364,6 +1411,10 @@ ms.date: 10/08/2020 - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) - [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) +- [ADMX_WordWheel/CustomSearch](./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch) +- [ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker) +- [ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders) +- [ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders) - [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours) - [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification) - [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 507b737aa0..b312ee27f9 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/08/2020 +ms.date: 10/11/2021 --- # Policies in Policy CSP supported by HoloLens 2 @@ -51,6 +51,7 @@ ms.date: 10/08/2020 - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 10 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 @@ -101,7 +102,13 @@ ms.date: 10/08/2020 - [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 10 +- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 10 - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 10 +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 10 +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 10 +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 10 - [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) - [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) - [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) @@ -109,7 +116,10 @@ ms.date: 10/08/2020 - [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) - [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) - [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 10 +- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 10 - [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess) +- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 10 - [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) - [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) - [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 @@ -125,6 +135,7 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) ## Related topics diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a4847a452f..acf05925b9 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories: > - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. > - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. -The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. +The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. -![policy csp diagram.](images/provisioning-csp-policy.png) +```console +./Vendor/MSFT +Policy +-------Config +----------AreaName +-------------PolicyName +-------Result +----------AreaName +-------------PolicyName +-------ConfigOperations +----------ADMXInstall +-------------AppName +----------------Policy +------------------UniqueID +----------------Preference +------------------UniqueID +``` **./Vendor/MSFT/Policy** @@ -213,6 +229,23 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_AdmPwd policies + +

      +
      + ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy +
      +
      + ADMX_AdmPwd/POL_AdmPwd_Enabled +
      +
      + ADMX_AdmPwd/POL_AdmPwd_AdminName +
      +
      + ADMX_AdmPwd/POL_AdmPwd +
      +
      + ### ADMX_AppCompat policies
      @@ -747,6 +780,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_DiskNVCache policies + +
      +
      + ADMX_DiskNVCache/BootResumePolicy +
      +
      + ADMX_DiskNVCache/FeatureOffPolicy +
      +
      + ADMX_DiskNVCache/SolidStatePolicy +
      +
      + +### ADMX_DiskQuota policies + +
      +
      + ADMX_DiskQuota/DQ_RemovableMedia +
      +
      + ADMX_DiskQuota/DQ_Enable +
      +
      + ADMX_DiskQuota/DQ_Enforce +
      +
      + ADMX_DiskQuota/DQ_LogEventOverLimit +
      +
      + ADMX_DiskQuota/DQ_LogEventOverThreshold +
      +
      + ADMX_DiskQuota/DQ_Limit +
      +
      + ### ADMX_DistributedLinkTracking policies
      @@ -1578,6 +1648,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_iSCSI policies + +
      +
      + ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
      +
      + ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
      +
      + ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
      +
      + ### ADMX_kdc policies
      @@ -2354,6 +2444,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_MobilePCMobilityCenter policies +
      +
      + ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 +
      +
      + ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 +
      +
      + +### ADMX_MobilePCPresentationSettings policies +
      +
      + ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 +
      +
      + ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 +
      +
      + ### ADMX_MSAPolicy policies
      @@ -2463,6 +2573,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_MsiFileRecovery policies +
      +
      + ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy +
      +
      + ### ADMX_nca policies
      @@ -2854,6 +2971,32 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_pca policies + +
      +
      + ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy +
      +
      + ADMX_pca/DetectDeprecatedComponentFailuresPolicy +
      +
      + ADMX_pca/DetectInstallFailuresPolicy +
      +
      + ADMX_pca/DetectUndetectedInstallersPolicy +
      +
      + ADMX_pca/DetectUpdateFailuresPolicy +
      +
      + ADMX_pca/DisablePcaUIPolicy +
      +
      + ADMX_pca/DetectBlockedDriversPolicy +
      +
      + ### ADMX_PeerToPeerCaching policies
      @@ -2886,6 +3029,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_PenTraining policies + +
      +
      + ADMX_PenTraining/PenTrainingOff_1 +
      +
      + ADMX_PenTraining/PenTrainingOff_2 +
      +
      + ### ADMX_PerformanceDiagnostics policies
      @@ -3000,6 +3154,35 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_PreviousVersions policies + +
      +
      + ADMX_PreviousVersions/DisableLocalPage_1 +
      +
      + ADMX_PreviousVersions/DisableLocalPage_2 +
      +
      + ADMX_PreviousVersions/DisableRemotePage_1 +
      +
      + ADMX_PreviousVersions/DisableRemotePage_2 +
      +
      + ADMX_PreviousVersions/HideBackupEntries_1 +
      +
      + ADMX_PreviousVersions/HideBackupEntries_2 +
      +
      + ADMX_PreviousVersions/DisableLocalRestore_1 +
      +
      + ADMX_PreviousVersions/DisableLocalRestore_2 +
      +
      + ### ADMX_Printing policies
      @@ -3329,6 +3512,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_sdiagschd policies + +
      +
      + ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
      +
      + ### ADMX_sdiageng policies
      @@ -3371,6 +3562,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_ServerManager policies + +
      +
      + ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
      +
      + ADMX_ServerManager/ServerManagerAutoRefreshRate +
      +
      + ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
      +
      + ADMX_ServerManager/DoNotLaunchServerManager +
      +
      + ### ADMX_Servicing policies
      @@ -3430,30 +3638,22 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      -## ADMX_ShellCommandPromptRegEditTools policies +### ADMX_ShellCommandPromptRegEditTools policies
      - ADMX_ShellCommandPromptRegEditTools/DisableCMD + ADMX_ShellCommandPromptRegEditTools/DisallowApps
      ADMX_ShellCommandPromptRegEditTools/DisableRegedit
      - ADMX_ShellCommandPromptRegEditTools/DisallowApps + ADMX_ShellCommandPromptRegEditTools/DisableCMD
      - ADMX_ShellCommandPromptRegEditTools/RestrictApps + ADMX_ShellCommandPromptRegEditTools/RestrictApps
      -
      - -### ADMX_SkyDrive policies -
      -
      - ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn -
      -
      ### ADMX_Smartcard policies @@ -3521,6 +3721,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_Snmp/SNMP_Traps_Public
      + +
      ### ADMX_StartMenu policies @@ -3736,6 +3938,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_TabletShell policies + +
      +
      + ADMX_TabletShell/DisableInkball_1 +
      +
      + ADMX_TabletShell/DisableNoteWriterPrinting_1 +
      +
      + ### ADMX_Taskbar policies
      @@ -3851,6 +4064,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_TerminalServer policies + +
      +
      + ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
      +
      + ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
      +
      + ### ADMX_Thumbnails policies
      @@ -3865,6 +4089,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_TouchInput policies + +
      +
      + ADMX_TouchInput/TouchInputOff_1 +
      +
      + ADMX_TouchInput/TouchInputOff_2 +
      +
      + ADMX_TouchInput/PanningEverywhereOff_1 +
      +
      + ADMX_TouchInput/PanningEverywhereOff_2 +
      +
      + ### ADMX_TPM policies
      @@ -4343,6 +4584,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_WDI Policies + +
      +
      + ADMX_WDI/WdiDpsScenarioExecutionPolicy +
      +
      + ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
      +
      + ### ADMX_WinCal policies
      @@ -4354,14 +4606,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      -### ADMX_WindowsAnytimeUpgrade policies - -
      -
      - ADMX_WindowsAnytimeUpgrade/Disabled -
      -
      - ### ADMX_WindowsConnectNow policies
      @@ -4761,6 +5005,28 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      +### ADMX_WordWheel policies + +
      +
      + ADMX_WordWheel/CustomSearch +
      +
      + +### ADMX_WorkFoldersClient policies + +
      +
      + ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker +
      +
      + ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders +
      +
      + ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders +
      +
      + ### ADMX_WPN policies
      @@ -8639,23 +8905,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
      -### ADMX_WindowsFileProtection policies - -
      -
      - ADMX_WindowsFileProtection/WFPShowProgress -
      -
      - ADMX_WindowsFileProtection/WFPQuota -
      -
      - ADMX_WindowsFileProtection/WFPScan -
      -
      - ADMX_WindowsFileProtection/WFPDllCacheDir -
      -
      - ### WindowsInkWorkspace policies
      diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 23c1bb8142..c3d8c37963 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -40,29 +40,30 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1
      YesYes
      @@ -83,7 +84,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera ADMX Info: -- GP English name: *Allow Cortana above lock screen* +- GP Friendly name: *Allow Cortana above lock screen* - GP name: *AllowCortanaAboveLock* - GP path: *Windows Components/Search* - GP ADMX file name: *Search.admx* @@ -106,29 +107,25 @@ The following list shows the supported values: - - + + + - + - - - - - + - + - - +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark
      Businesscheck markYes, starting in Windows 10, version 1607Yes
      Enterprisecheck markYes, starting in Windows 10, version 1607Yes
      Educationcheck mark
      Yes, starting in Windows 10, version 1607Yes
      @@ -159,16 +156,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 644ff6136e..ed466fe64a 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -42,36 +42,39 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      Mobilecheck markYesYes
      Mobile Enterprisecheck markYesYes
      @@ -113,36 +116,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      Mobilecheck markYesYes
      Mobile Enterprisecheck markYesYes
      @@ -181,36 +192,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      Mobilecheck mark2YesYes
      Mobile Enterprisecheck mark2YesYes
      @@ -246,15 +265,6 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 0ed2ddc357..95c9e7d80b 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - ActiveXControls +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,29 +42,28 @@ manager: dansimp - - + + + - + - - - - - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck mark
      YesYes
      @@ -83,12 +88,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,16 +100,6 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 67982daf0e..c574952e31 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -13,8 +13,14 @@ manager: dansimp --- # Policy CSP - ADMX_ActiveXInstallService -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -36,29 +42,28 @@ manager: dansimp - - - + + + - + + - - - - - + + - + + - - + +
      Windows EditionSupported?
      EditionWindows 10Windows 11
      Homecross markNoNo
      Procross mark
      Businesscross markYesYes
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -74,7 +79,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. +This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. @@ -86,12 +91,6 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +103,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 0c7c4b543b..dfb1da857f 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -14,8 +14,13 @@ manager: dansimp # Policy CSP - ADMX_AddRemovePrograms -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -67,28 +72,16 @@ manager: dansimp - - + + + - + + - - - - - - - - - - - - - - - +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      @@ -106,7 +99,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -116,12 +109,6 @@ If you disable this setting or do not configure it, all programs (Category: All) > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -150,28 +137,30 @@ ADMX Info: - - + + + - + + - + + - - + + -
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross mark
      Enterprisecheck markYesYes
      Educationcross mark
      @@ -189,7 +178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -197,12 +186,6 @@ If you disable this setting or do not configure it, the "Add a program from CD-R > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -270,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -278,12 +267,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -312,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -351,7 +341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -361,12 +351,7 @@ If you disable this setting or do not configure it, "Add programs from your netw > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -394,28 +379,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -433,17 +424,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -511,21 +503,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Remove Add or Remove Programs* +- GP Friendly name: *Remove Add or Remove Programs* - GP name: *NoAddRemovePrograms* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -550,28 +537,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -589,22 +582,17 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide the Set Program Access and Defaults page* +- GP Friendly name: *Hide the Set Program Access and Defaults page* - GP name: *NoChooseProgramsPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -629,29 +617,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -668,21 +661,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Change or Remove Programs page* +- GP Friendly name: *Hide Change or Remove Programs page* - GP name: *NoRemovePage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -707,28 +695,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -746,7 +740,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -754,16 +748,11 @@ If you disable this setting or do not configure it, "Set up services" appears on > When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Go directly to Components Wizard* +- GP Friendly name: *Go directly to Components Wizard* - GP name: *NoServices* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -788,28 +777,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -827,7 +822,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -835,16 +830,10 @@ If you disable this setting or do not configure it, the Support Info hyperlink a > Not all programs provide a support information hyperlink. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP English name: *Remove Support Information* +- GP Friendly name: *Remove Support Information* - GP name: *NoSupportInfo* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -869,28 +858,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -908,21 +903,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Add/Remove Windows Components page* +- GP Friendly name: *Hide Add/Remove Windows Components page* - GP name: *NoWindowsSetupPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -939,8 +929,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md new file mode 100644 index 0000000000..19b22053f4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -0,0 +1,299 @@ +--- +title: Policy CSP - ADMX_AdmPwd +description: Policy CSP - ADMX_AdmPwd +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AdmPwd + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
      + + +## ADMX_AdmPwd policies + +
      +
      + ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy +
      +
      + ADMX_AdmPwd/POL_AdmPwd_Enabled +
      +
      + ADMX_AdmPwd/POL_AdmPwd_AdminName +
      +
      + ADMX_AdmPwd/POL_AdmPwd +
      +
      + + +
      + + +**ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProYesYes
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. + +When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. + + + +ADMX Info: +- GP Friendly name: *Do not allow password expiration time longer than required by policy* +- GP name: *POL_AdmPwd_DontAllowPwdExpirationBehindPolicy* +- GP path: *Windows Components\AdmPwd* +- GP ADMX file name: *AdmPwd.admx* + + + +
      + + +**ADMX_AdmPwd/POL_AdmPwd_Enabled** + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProYesYes
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This policy enables the management of password for local administrator account + +If you enable this setting, local administrator password is managed. + +If you disable or not configure this setting, local administrator password is NOT managed. + + + +ADMX Info: +- GP Friendly name: *Enable local admin password management* +- GP name: *POL_AdmPwd_Enabled* +- GP path: *Windows Components\AdmPwd* +- GP ADMX file name: *AdmPwd.admx* + + + + +
      + + +**ADMX_AdmPwd/POL_AdmPwd_AdminName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProYesYes
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. + +When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. + + + + +ADMX Info: +- GP Friendly name: *Name of administrator account to manage* +- GP name: *POL_AdmPwd_AdminName* +- GP path: *Windows Components\AdmPwd* +- GP ADMX file name: *AdmPwd.admx* + + + + + +
      + + +**ADMX_AdmPwd/POL_AdmPwd** + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProYesYes
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This policy setting enables management of password for local administrator account + +If you enable this setting, local administrator password is managed + +If you disable or not configure this setting, local administrator password is NOT managed. + + + + + +ADMX Info: +- GP Friendly name: *Password Settings* +- GP name: *POL_AdmPwd* +- GP path: *Windows Components\AdmPwd* +- GP ADMX file name: *AdmPwd.admx* + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index e145a37e11..110c13b38f 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_AppCompat -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -70,28 +74,32 @@ manager: dansimp - - + - + + - + + - + + - + + - + +
      Windows EditionSupported?Edition
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -108,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -122,12 +130,6 @@ If the status is set to Not Configured, the OS falls back on a local policy set > This setting appears only in Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -185,7 +193,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -193,12 +201,6 @@ Enabling this policy setting removes the property page from the context-menus, b -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -218,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -256,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. +The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -268,12 +276,6 @@ Disabling telemetry will take effect on any newly launched applications. To ensu -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -293,28 +295,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -331,7 +339,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. +The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -344,12 +352,6 @@ If you disable or do not configure this policy setting, the Switchback will be t Reboot the system after changing the setting to ensure that your system accurately reflects those changes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -369,29 +371,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -407,7 +414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. +This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -422,12 +429,6 @@ This option is useful to server administrators who require faster performance an -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -447,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -485,16 +492,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -514,28 +515,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -552,7 +559,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -563,12 +570,6 @@ If you disable or do not configure this policy setting, the PCA will be turned o -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -588,28 +589,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -626,7 +633,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. +This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -636,12 +643,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -661,28 +662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -699,7 +706,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. +This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. @@ -712,12 +719,6 @@ If you disable or do not configure this policy setting, the Inventory Collector -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -729,8 +730,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index f3aef0211f..4e924cb2a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppxPackageManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + > [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: @@ -88,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -106,7 +112,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index c30dafd023..74860dbb38 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppXRuntime -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,29 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -83,19 +93,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. +This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -153,19 +164,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -184,28 +189,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -222,7 +233,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. +This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. @@ -232,12 +243,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -256,28 +261,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -295,7 +306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. @@ -305,12 +316,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -323,8 +328,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 7a82136079..9ddc5dc7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AttachmentManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -86,7 +97,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. +This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. @@ -99,12 +110,6 @@ If you disable this policy setting, Windows uses its default trust logic, which If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -123,28 +128,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross mark
      NoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -161,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. +This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. @@ -176,12 +186,6 @@ If you disable this policy setting, Windows sets the default risk level to moder If you do not configure this policy setting, Windows sets the default risk level to moderate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -200,28 +204,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -238,7 +248,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types. @@ -247,12 +257,6 @@ If you disable this policy setting, Windows uses its built-in list of file types If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +275,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -309,7 +319,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. @@ -318,12 +328,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -342,28 +346,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -380,7 +390,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types which pose a moderate risk. @@ -389,12 +399,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,7 +411,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 56d9939332..5e4ce66ca3 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -12,9 +12,14 @@ ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_AuditSettings -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - ADMX_AuditSettings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. @@ -86,12 +97,6 @@ Default is Not configured. > When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +109,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 9a5fd957e7..db5b7fc71f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Bits -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -75,28 +80,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -113,7 +124,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. +This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. If you enable this policy setting, the BITS client does not use Windows Branch Cache. @@ -121,14 +132,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win > [!NOTE] > This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. - + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -185,7 +196,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. @@ -195,12 +206,7 @@ If you disable or do not configure this policy setting, the computer attempts to > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -219,28 +225,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -257,7 +269,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. @@ -267,12 +279,7 @@ If you disable or do not configure this policy setting, the computer will offer > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -292,28 +299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -330,7 +343,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. +This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. @@ -339,12 +352,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -364,28 +372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -402,7 +416,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. @@ -416,12 +430,6 @@ If you disable this policy setting or do not configure it, the default value of > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -440,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -478,7 +492,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. @@ -490,12 +504,6 @@ If you disable or do not configure this policy setting, the limits defined for w > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -515,28 +523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -553,7 +567,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. @@ -562,12 +576,6 @@ You can specify a limit to use for background jobs during a work schedule. For e If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,28 +595,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -625,7 +639,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. +This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. @@ -635,12 +649,6 @@ If you disable or do not configure this policy setting, the default size of the > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -659,28 +667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -707,12 +721,6 @@ If you disable or do not configure this policy setting, files that have not been > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -731,28 +739,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -769,7 +783,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. +This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. @@ -780,12 +794,7 @@ If you enable this policy setting, you can set the maximum job download time to If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -804,28 +813,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -842,7 +857,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. @@ -852,12 +867,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -876,28 +886,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -914,7 +930,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. +This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. @@ -924,12 +940,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -948,28 +959,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -986,7 +1003,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. +This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. @@ -996,12 +1013,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1020,28 +1032,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1058,7 +1076,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. +This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. @@ -1068,12 +1086,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1086,8 +1099,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 44e91fe2e9..514efdce81 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_CipherSuiteOrder -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -87,12 +97,7 @@ If you disable or do not configure this policy setting, default cipher suite ord For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. @@ -170,12 +181,6 @@ CertUtil.exe -DisplayEccCurve ``` -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,7 +193,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 13d4fabf45..abac5580d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_COM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -89,12 +99,7 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +120,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -153,7 +164,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -164,12 +175,6 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -182,7 +187,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 9dec30ad01..bdd6e7f313 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. @@ -98,12 +109,7 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -160,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. +This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. @@ -172,12 +184,7 @@ If this policy setting is not configured, the Control Panel opens to the view us > Icon size is dependent upon what the user has set it to in the previous session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +203,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -253,12 +266,7 @@ This setting removes PC settings from: If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -277,28 +285,38 @@ ADMX Info: - - + + + - + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -315,7 +333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. @@ -330,12 +348,6 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -348,7 +360,4 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index f1f3907cbe..644cc93fd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanelDisplay -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -105,28 +110,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -143,19 +154,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. +Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -174,28 +180,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -212,17 +229,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. +Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -241,28 +253,40 @@ ADMX Info: - - + + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -279,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. +This setting forces the theme color scheme to be the default color scheme. If you enable this setting, a user cannot change the color scheme of the current desktop theme. @@ -288,12 +312,6 @@ If you disable or do not configure this setting, a user may change the color sch For Windows 7 and later, use the "Prevent changing color and appearance" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -312,28 +330,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -350,7 +379,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. +This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). @@ -360,12 +389,6 @@ If you disable or do not configure this setting, there is no effect. > If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -384,28 +407,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -422,19 +456,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -453,28 +481,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -491,7 +530,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. +Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. @@ -502,12 +541,6 @@ If you enable it, a screen saver runs, provided the following two conditions hol Also, see the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -526,28 +559,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -564,7 +608,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). @@ -575,12 +619,7 @@ This can be used in conjunction with the "Prevent changing lock screen and logon Note: This setting only applies to Enterprise, Education, and Server SKUs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +638,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -637,19 +687,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -668,28 +712,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -706,19 +761,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. By default, users can change the background image shown when the machine is locked or displaying the logon screen. If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -737,28 +786,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -775,7 +835,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. @@ -786,12 +846,6 @@ If the "Force a specific background and accent color" policy is also set on a su If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -810,28 +864,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -848,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. @@ -857,12 +922,6 @@ If this setting is disabled or not configured, the Color (or Window Color) page For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -881,28 +940,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -919,7 +989,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -932,12 +1002,6 @@ Note: You must also enable the "Desktop Wallpaper" setting to prevent users from Also, see the "Allow only bitmapped wallpaper" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -956,28 +1020,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -994,7 +1069,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. @@ -1003,12 +1078,6 @@ If you enable this setting, none of the desktop icons can be changed by the user For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1096,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1072,12 +1152,6 @@ If you enable this policy setting, users that are not required to press CTRL + A If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1096,28 +1170,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1141,12 +1226,6 @@ By default, users can use the Pointers tab in the Mouse Control Panel to add, re If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1165,28 +1244,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1203,17 +1293,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1232,28 +1316,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1270,19 +1365,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1301,28 +1390,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1339,19 +1439,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1370,28 +1464,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1408,7 +1513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. +Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. @@ -1422,12 +1527,6 @@ To ensure that a computer will be password protected, enable the "Enable Screen > To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1446,28 +1545,38 @@ ADMX Info: - - + + + - + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1484,7 +1593,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. +Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. @@ -1501,12 +1610,6 @@ This setting has no effect under any of the following circumstances: When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1525,28 +1628,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1563,7 +1677,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. +Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. @@ -1577,12 +1691,6 @@ If the specified screen saver is not installed on a computer to which this setti > This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1601,28 +1709,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1646,12 +1765,6 @@ If you enable this setting, the theme that you specify will be applied when a ne If you disable or do not configure this setting, the default theme will be applied at the first logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1670,28 +1783,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1708,7 +1832,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. +This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). @@ -1724,12 +1848,6 @@ If you disable or do not configure this setting, the users can select the visual > To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1748,28 +1866,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1786,19 +1915,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1811,7 +1934,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 6ad7cad008..71ba7fb9c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Cpls -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. @@ -84,12 +100,7 @@ If you enable this policy setting, the default user account picture will display If you disable or do not configure this policy setting, users will be able to customize their account pictures. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -102,8 +113,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index b7ed4ab54a..92d2b7cfc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredentialProviders -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +47,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,7 +96,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. +This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -91,12 +107,7 @@ If you don't configure this policy setting on a domain-joined device, a user can If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. +This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. @@ -163,12 +185,6 @@ If you disable or do not configure this policy setting, the system picks the def > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. +This policy setting allows the administrator to exclude the specified credential providers from use during authentication. > [!NOTE] > Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). @@ -236,12 +263,6 @@ If you enable this policy, an administrator can specify the CLSIDs of the creden If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -254,9 +275,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are for upcoming release. - - -These policies are currently only available as part of a Windows Insider release. \ No newline at end of file + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 04bbf46ba4..2c66db1203 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredSsp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -66,28 +71,38 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -104,7 +119,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -122,12 +137,7 @@ If you disable or do not configure (by default) this policy setting, delegation > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -146,28 +156,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -184,7 +205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. @@ -207,12 +228,6 @@ https://go.microsoft.com/fwlink/?LinkId=301508 > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +246,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -269,7 +295,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. @@ -287,12 +313,6 @@ If you enable this policy setting, CredSSP version support will be selected base For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -311,28 +331,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -349,7 +380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -369,12 +400,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -393,28 +418,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -431,7 +467,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -451,12 +487,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -475,28 +505,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -513,7 +554,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -533,12 +574,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -557,28 +592,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -595,7 +641,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -615,12 +661,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -639,28 +679,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -677,7 +728,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). @@ -695,12 +746,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -719,28 +764,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -757,7 +813,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). @@ -775,12 +831,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -799,28 +849,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -837,7 +898,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). @@ -855,12 +916,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +934,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -917,7 +983,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client @@ -936,12 +1002,6 @@ If you disable or do not configure this policy setting, Restricted Admin and Rem > On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -954,8 +1014,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index acb7942b92..b6e48f936c 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredUI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +44,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. > [!NOTE] > This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. @@ -87,12 +103,6 @@ If you enable this policy setting, users will be required to enter Windows crede If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,28 +121,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -152,12 +173,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -168,10 +184,6 @@ ADMX Info: -
      - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +< diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index b42e1e9ad0..0098e79df8 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CtrlAltDel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +50,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,19 +99,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. +This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. +This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -165,12 +187,6 @@ If you disable or do not configure this policy setting, users will be able to lo > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. +This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -235,12 +262,6 @@ If you enable this policy setting, users will not be able to access Task Manager If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -259,28 +280,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -297,7 +329,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. +This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. @@ -306,12 +338,6 @@ Also, see the 'Remove Logoff on the Start Menu' policy setting. If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -324,8 +350,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index c2de3fdc86..3955a74bc1 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_DataCollection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_DataCollection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_DataCollection/CommercialIdPolicy @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,19 +85,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. +This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index a7729ee3a4..fa77b55d96 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DCOM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -93,12 +98,6 @@ If you do not configure this policy setting, DCOM will only look in the locally > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -160,7 +159,7 @@ ADMX Info: -This policy setting allows you to view and change a list of DCOM server application IDs (appids), which are exempted from the DCOM Activation security check. +This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. DCOM server application IDs added to this policy must be listed in curly brace format. @@ -169,15 +168,15 @@ For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors. - If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. -If you add an application ID to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. -If you add an application ID to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local +If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server. +If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. - If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. -The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid. +The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid. DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. > [!NOTE] @@ -187,12 +186,6 @@ DCOM servers added to this exemption list are only exempted if their custom laun > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -205,8 +198,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 4baa5a5da4..575e15bf06 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Desktop -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -120,28 +125,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -158,7 +169,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. @@ -167,12 +178,7 @@ If you disable this setting or do not configure it, the filter bar does not appe To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -191,28 +197,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -229,7 +241,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. +Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. @@ -240,12 +252,7 @@ If you disable this setting or do not configure it, the Active Directory folder This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -302,7 +315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. @@ -311,12 +324,7 @@ If you disable this setting or do not configure it, the system displays up to 10 This setting is designed to protect the network and the domain controller from the effect of expansive searches. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -335,28 +343,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -373,7 +387,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. +Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -383,12 +397,6 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,28 +415,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -445,7 +459,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. +Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -455,12 +469,7 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark
      YesYes
      Educationcross markYesYes
      @@ -517,17 +531,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. +Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -546,28 +554,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -584,19 +598,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -615,28 +624,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -653,7 +668,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. +Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. @@ -663,12 +678,7 @@ If you disable this setting or do not configure it, the default behavior of the > When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -687,28 +697,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -725,17 +741,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. +Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. This setting does not prevent the user from starting Internet Explorer by using other methods. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -754,28 +765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -792,7 +809,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. +This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. @@ -804,12 +821,7 @@ If you do not configure this setting, the default is to display Computer as usua > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -828,29 +840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -866,7 +883,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. +Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -878,12 +895,6 @@ This setting does not remove the My Documents icon from the Start menu. To do so > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -902,28 +913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -940,7 +957,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. +Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. @@ -948,12 +965,7 @@ This setting only affects the desktop icon. It does not prevent users from conne > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -972,28 +984,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1010,19 +1028,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. +This setting hides Properties on the context menu for Computer. If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1041,28 +1054,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1079,7 +1098,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. +This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: @@ -1090,12 +1109,7 @@ If you enable this policy setting, the Properties menu command will not be displ If you disable or do not configure this policy setting, the Properties menu command is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1114,28 +1128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1152,19 +1172,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1183,28 +1198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1221,7 +1242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. +Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -1231,12 +1252,6 @@ This setting does not prevent the user from using other methods to gain access t > To make changes to this setting effective, you must log off and then log back on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1255,28 +1270,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1293,19 +1314,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. +Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1324,28 +1340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1362,17 +1384,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. +Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1391,28 +1408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1429,19 +1452,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. +Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1460,28 +1477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1498,7 +1521,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. +Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. @@ -1512,12 +1535,6 @@ Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Pr > This setting does not apply to remote desktop server sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1536,28 +1553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1574,19 +1597,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. +Prevents users from adding Web content to their Active Desktop. This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. Also, see the "Disable all items" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1605,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1643,7 +1666,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. +Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. @@ -1653,12 +1676,7 @@ If you enable this setting, items added to the desktop cannot be closed; they al > This setting does not prevent users from deleting items from their Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1677,28 +1695,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1715,7 +1739,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. +Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. @@ -1724,12 +1748,7 @@ This setting does not prevent users from adding Web content to their Active Desk Also, see the "Prohibit closing items" and "Disable all items" settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1748,28 +1767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1786,17 +1811,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. +Prevents users from changing the properties of Web content items on their Active Desktop. This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1835,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1853,7 +1879,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. +Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. @@ -1861,12 +1887,7 @@ This setting removes all Active Desktop items from the desktop. It also removes > This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1885,28 +1906,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1923,7 +1950,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. +Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. @@ -1936,12 +1963,7 @@ You can also use this setting to delete particular Web-based items from users' d > For this setting to take affect, you must log off and log on to the system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1960,28 +1982,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1998,7 +2026,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. +Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. @@ -2011,12 +2039,7 @@ If you enable this setting, users cannot add or remove toolbars from the desktop Also, see the "Prohibit adjusting desktop toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2035,28 +2058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2073,7 +2102,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. This setting does not prevent users from adding or removing toolbars on the desktop. @@ -2083,12 +2112,7 @@ This setting does not prevent users from adding or removing toolbars on the desk Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2107,28 +2131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2145,17 +2175,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2168,7 +2193,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index f53dd522fc..88df6490ae 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceCompat -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -85,12 +89,6 @@ manager: dansimp Changes behavior of Microsoft bus drivers to work with specific devices. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -155,12 +153,6 @@ ADMX Info: Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 079455128a..f8f4ce600e 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -95,12 +100,6 @@ If using a signed and protected policy then disabling this policy setting doesn' 2. Disable the setting and then remove the policy from each computer, with a physically present user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -112,8 +111,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 470b11eb3f..b8b64ce774 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -57,28 +62,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -95,19 +106,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. +This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -126,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -164,19 +176,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -233,19 +246,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -302,19 +316,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. +This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -333,28 +342,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -371,7 +386,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. +This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. @@ -380,12 +395,7 @@ If you disable or do not configure this policy setting, the system does not forc Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -404,28 +414,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -442,18 +458,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +483,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -510,19 +527,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. +This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting, Windows does not create a system restore point when one would normally be created. If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -541,28 +553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -579,7 +597,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. +This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. @@ -587,12 +605,7 @@ If you disable or do not configure this policy setting, only members of the Admi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -605,6 +618,4 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 8816d46b2e..17ee9b18a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceSetup -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,19 +88,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. +This policy setting allows you to turn off "Found New Hardware" balloons during device installation. If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -108,28 +114,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -146,7 +158,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. +This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. @@ -155,12 +167,6 @@ Note that searching always implies that Windows will attempt to search Windows U If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -173,7 +179,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index fc3cdf1b1d..c025b09145 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -13,10 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DFS -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -93,12 +96,6 @@ This value is specified in minutes. > The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,8 +108,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index b41032d0f8..e9379aa5be 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DigitalLocker -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -86,12 +97,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?Editionwindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -148,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -157,12 +169,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -175,8 +182,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index eecf8264d6..7efb339a88 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DiskDiagnostic -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -96,12 +101,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -179,12 +178,6 @@ This policy setting takes effect only when the DPS is in the running state. When > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -197,8 +190,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are for upcoming release. diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md new file mode 100644 index 0000000000..2c19a0ace8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -0,0 +1,266 @@ +--- +title: Policy CSP - ADMX_DiskNVCache +description: Policy CSP - ADMX_DiskNVCache +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskNVCache + + +
      + + +## ADMX_DiskNVCache policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
      +
      + ADMX_DiskNVCache/BootResumePolicy +
      +
      + ADMX_DiskNVCache/FeatureOffPolicy +
      +
      + ADMX_DiskNVCache/SolidStatePolicy +
      +
      + + +
      + + +**ADMX_DiskNVCache/BootResumePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. + +If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. + +If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. +The system determines the data that will be stored in the NV cache to optimize boot and resume. + +The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. + +This policy setting is applicable only if the NV cache feature is on. + + + + +ADMX Info: +- GP Friendly name: *Turn off boot and resume optimizations* +- GP name: *BootResumePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + +
      + +**ADMX_DiskNVCache/FeatureOffPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. + +To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + +If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. + +If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. + +This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + + + + +ADMX Info: +- GP Friendly name: *Turn off non-volatile cache feature* +- GP name: *FeatureOffPolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
      + + +**ADMX_DiskNVCache/SolidStatePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting turns off the solid state mode for the hybrid hard disks. + +If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. + +If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. + +This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. + + + + + +ADMX Info: +- GP Friendly name: *Turn off solid state mode* +- GP name: *SolidStatePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md new file mode 100644 index 0000000000..16ccbf1dce --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -0,0 +1,500 @@ +--- +title: Policy CSP - ADMX_DiskQuota +description: Policy CSP - ADMX_DiskQuota +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskQuota + + +
      + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +## ADMX_DiskQuota policies + + +
      +
      + ADMX_DiskQuota/DQ_RemovableMedia +
      +
      + ADMX_DiskQuota/DQ_Enable +
      +
      + ADMX_DiskQuota/DQ_Enforce +
      +
      + ADMX_DiskQuota/DQ_LogEventOverLimit +
      +
      + ADMX_DiskQuota/DQ_LogEventOverThreshold +
      +
      + ADMX_DiskQuota/DQ_Limit +
      +
      + + +
      + + +**ADMX_DiskQuota/DQ_RemovableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. + +If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. + +When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + +ADMX Info: +- GP Friendly name: *Apply policy to removable media* +- GP name: *DQ_RemovableMedia* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
      + + +**ADMX_DiskQuota/DQ_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. + +If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. + +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. + +This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + +To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + + +ADMX Info: +- GP Friendly name: *Enable disk quotas* +- GP name: *DQ_Enable* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
      + + + +**ADMX_DiskQuota/DQ_Enforce** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. + +If you enable this policy setting, disk quota limits are enforced. + +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. + +If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. + +This policy setting overrides user settings that enable or disable quota enforcement on their volumes. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + + + + +ADMX Info: +- GP Friendly name: *Enforce disk quota limit* +- GP name: *DQ_Enforce* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
      + + + +**ADMX_DiskQuota/DQ_LogEventOverLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +If you enable this policy setting, the system records an event when the user reaches their limit. + +If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + +ADMX Info: +- GP Friendly name: *Log event when quota limit is exceeded* +- GP name: *DQ_LogEventOverLimit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + +
      + + + +**ADMX_DiskQuota/DQ_LogEventOverThreshold** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +If you enable this policy setting, the system records an event. + +If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + +ADMX Info: +- GP Friendly name: *Log event when quota warning level is exceeded* +- GP name: *DQ_LogEventOverThreshold* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
      + + + +**ADMX_DiskQuota/DQ_Limit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting specifies the default disk quota limit and warning level for new users of the volume. +This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. + +This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). + +If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. + +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + + + + +ADMX Info: +- GP Friendly name: *Specify default quota limit and warning level* +- GP name: *DQ_Limit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
      + + + diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 1151c3fbae..ed55f58aa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DistributedLinkTracking -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. +This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. @@ -83,12 +94,6 @@ This policy should not be set unless the DLT server is running on all domain con > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,8 +106,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 6d020b3a32..f1dc91e8d4 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_DnsClient -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -99,28 +103,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -137,19 +147,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -167,28 +172,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -205,7 +216,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -220,12 +231,6 @@ If you disable this policy setting, no suffixes are appended to unqualified mult If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -244,28 +249,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -282,19 +293,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -313,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -351,7 +363,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -375,12 +387,7 @@ If you enable this policy setting and DNS devolution is also enabled, DNS client If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -400,28 +407,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -438,19 +451,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -469,28 +477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -507,19 +521,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -538,28 +547,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -576,7 +591,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -585,12 +600,7 @@ If you enable this policy setting, the list of DNS servers is applied to all net If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -609,28 +619,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -647,7 +663,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -657,12 +673,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -682,28 +692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -720,7 +736,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -733,12 +749,7 @@ You can use this policy setting to prevent users, including local administrators If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -757,28 +768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -795,7 +812,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -807,12 +824,7 @@ Important: This policy setting is ignored on a DNS client computer if dynamic DN If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -831,28 +843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -869,7 +887,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. +This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -883,12 +901,7 @@ To use this policy setting, click Enabled, and then select one of the following If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -907,28 +920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -945,19 +964,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -976,28 +990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1014,7 +1034,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1025,12 +1045,7 @@ If you enable this policy setting or if you do not configure this policy setting If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1049,28 +1064,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1087,7 +1108,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1101,12 +1122,7 @@ If you enable this policy setting, registration refresh interval that you specif If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1125,28 +1141,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1163,7 +1185,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1172,12 +1194,7 @@ If you enable this policy setting, the TTL value that you specify will be applie If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1196,28 +1213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1234,7 +1257,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1247,12 +1270,7 @@ If you enable this policy setting, one DNS suffix is attached at a time for each If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1272,28 +1290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1310,19 +1334,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1341,28 +1360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1379,7 +1404,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1389,12 +1414,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1413,28 +1432,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross mark
      NoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1451,7 +1475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. +This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1464,12 +1488,7 @@ If you enable this policy setting, computers that attempt to send dynamic DNS up If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1488,28 +1507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1526,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1535,12 +1560,7 @@ If you enable this policy setting, computers send dynamic updates to any zone th If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1559,28 +1579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1597,7 +1623,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1622,12 +1648,7 @@ If you enable this policy setting, or if you do not configure this policy settin If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1646,28 +1667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1684,7 +1711,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. @@ -1693,12 +1720,7 @@ If you enable this policy setting, LLMNR will be disabled on all available netwo If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1710,7 +1732,5 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ad2161edfc..b8fc8128ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DWM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -89,7 +100,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -99,12 +110,6 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -124,28 +129,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -162,7 +173,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -172,12 +183,7 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -243,12 +255,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,28 +274,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross mark
      NoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -305,7 +317,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -314,12 +326,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -338,28 +345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -376,7 +389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -386,12 +399,7 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -448,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -458,12 +472,6 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -476,7 +484,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 454bd47f86..f339803e93 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EAIME -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -69,29 +74,33 @@ manager: dansimp - - + + + - + + - + + - - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross mark
      NoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -107,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. +This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. @@ -119,12 +128,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -143,28 +147,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross mark
      NoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -181,7 +190,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. +This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: @@ -205,12 +214,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -229,28 +233,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -267,7 +277,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. +This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. @@ -281,12 +291,7 @@ This policy setting is applied to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -305,28 +310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -343,7 +354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. +This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. @@ -355,12 +366,6 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -379,28 +384,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -417,7 +428,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. +This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. @@ -431,12 +442,7 @@ This policy setting applies to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -455,28 +461,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -493,7 +505,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. +This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. @@ -504,12 +516,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary This policy setting is applied to Japanese Microsoft IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -566,7 +579,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. +This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. @@ -575,12 +588,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save This policy setting applies to Japanese Microsoft IME only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +607,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -637,7 +651,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -648,12 +662,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -672,28 +681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -710,7 +725,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -721,12 +736,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -745,28 +755,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -783,7 +799,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. +This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -794,12 +810,7 @@ If you don't configure this policy setting, it will be turned on by default, and This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -818,28 +829,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -856,7 +873,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. +This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -867,12 +884,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +903,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -929,7 +947,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. +This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. @@ -938,12 +956,7 @@ If you disable or do not configure this policy setting, misconversion logging is This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -956,7 +969,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index d5cdf442da..c302a45683 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EncryptFilesonMove -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. @@ -83,12 +94,7 @@ If you disable or do not configure this policy setting, File Explorer automatica This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +107,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index a77d1438d2..2d325be21b 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EnhancedStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -89,19 +100,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -120,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -158,19 +169,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -189,28 +194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -227,19 +238,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. +This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -258,28 +263,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -296,19 +307,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. +This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -327,28 +332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -365,7 +376,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. +This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is supported in Windows Server SKUs only. @@ -374,12 +385,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -398,28 +403,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -436,19 +447,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. +This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -461,8 +466,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index f54ecfc994..ddb1aea9f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_ErrorReporting -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_ErrorReporting policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_ErrorReporting/PCH_AllOrNoneDef @@ -120,28 +125,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -158,7 +169,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. +This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. @@ -171,12 +182,6 @@ This policy setting is ignored if the Configure Error Reporting policy setting i For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -195,28 +200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -233,7 +244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -242,12 +253,6 @@ If this policy setting is enabled, the Exclude errors for applications on this l If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -266,28 +271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -304,7 +315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. +This policy setting specifies applications for which Windows Error Reporting should always report errors. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -319,12 +330,7 @@ Also see the "Default Application Reporting" and "Application Exclusion List" po This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,28 +349,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -381,7 +393,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. +This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. @@ -409,12 +421,6 @@ If you disable this policy setting, configuration settings in the policy setting See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -433,28 +439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -471,7 +483,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. +This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. If you enable this policy setting, Windows Error Reporting includes operating system errors. @@ -482,12 +494,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -506,28 +512,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -544,19 +556,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -575,28 +581,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markNoNo
      @@ -613,19 +625,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -644,28 +650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -682,19 +694,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -713,28 +719,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markNoNo
      @@ -751,20 +763,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Automatically send memory dumps for OS-generated error reports* @@ -782,28 +786,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -820,19 +830,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -851,28 +855,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -889,19 +899,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -920,28 +924,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -958,19 +968,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -989,28 +993,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1027,19 +1037,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1058,28 +1062,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1096,19 +1106,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1127,28 +1131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1165,19 +1175,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1196,28 +1200,34 @@ ADMX Info: - - + + + - +` - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1234,19 +1244,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1265,28 +1269,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark
      YesYes
      Educationcross markYesYes
      @@ -1303,7 +1312,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. @@ -1320,12 +1329,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1344,28 +1347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markNoNo
      Educationcross markYesYes
      @@ -1382,19 +1391,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1413,28 +1416,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1451,19 +1460,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1482,28 +1485,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1520,7 +1529,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1535,12 +1544,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1559,28 +1562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1597,7 +1606,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1612,12 +1621,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1636,28 +1639,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1674,19 +1683,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1705,28 +1708,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1743,7 +1752,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. @@ -1751,12 +1760,6 @@ If you disable or do not configure this policy setting, errors are reported on a -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1775,28 +1778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1813,19 +1822,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1844,28 +1847,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1882,19 +1891,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1913,28 +1916,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1951,19 +1960,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1982,28 +1985,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2020,19 +2029,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2051,28 +2054,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2089,7 +2098,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. @@ -2098,12 +2107,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2122,28 +2125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2160,7 +2169,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. @@ -2169,12 +2178,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2187,7 +2190,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index bd419345c7..6c88919cf8 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -14,14 +14,19 @@ manager: dansimp # Policy CSP - ADMX_EventForwarding -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_EventForwarding policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_EventForwarding/ForwarderResourceUsage @@ -40,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -78,7 +89,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. +This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. @@ -87,12 +98,7 @@ If you disable or do not configure this policy setting, forwarder resource usage This setting applies across all subscriptions for the forwarder (source computer). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,29 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross mark
      YesYes
      @@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. +This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. @@ -167,12 +178,6 @@ When using the HTTP protocol, use port 5985. If you disable or do not configure this policy setting, the Event Collector computer will not be specified. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -185,8 +190,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 7c171edf2e..acc2191553 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_EventLog -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_EventLog policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_EventLog/Channel_LogEnabled @@ -96,28 +101,33 @@ manager: dansimp - - + + + - - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross mark
      NoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -134,19 +144,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. +This policy setting turns on logging. If you enable or do not configure this policy setting, then events can be written to this log. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -165,28 +169,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -203,19 +213,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -234,28 +238,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross mark
      NoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -272,19 +281,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -303,28 +306,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -341,19 +350,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -372,28 +375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -410,19 +419,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -441,28 +444,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -479,19 +488,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. +This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -510,28 +513,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -548,7 +557,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -557,12 +566,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -581,28 +584,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -619,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -628,12 +637,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -652,28 +655,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -690,7 +699,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -699,12 +708,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -723,28 +726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -761,7 +770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -770,12 +779,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -794,28 +797,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -832,7 +841,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -842,12 +851,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -866,28 +869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -904,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -914,12 +923,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -938,28 +941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -976,7 +985,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -986,12 +995,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1010,28 +1013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1048,7 +1057,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1058,12 +1067,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1082,28 +1085,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross mark
      NoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1120,7 +1128,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1129,12 +1137,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1153,28 +1155,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1191,7 +1199,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -1200,12 +1208,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1224,28 +1226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1262,7 +1270,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1271,12 +1279,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1295,28 +1297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1333,7 +1341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1342,12 +1350,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1366,28 +1368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markNoNo
      Educationcross markYesYes
      @@ -1404,7 +1412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1413,12 +1421,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1437,28 +1439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1475,7 +1483,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1484,12 +1492,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1503,33 +1505,40 @@ ADMX Info:
      -**ADMX_EventLog/Channel_Log_Retention_4** +**ADMX_EventLog/Channel_Log_Retention_4** + - - + + + - + + - + + - + + - + + > - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1546,7 +1555,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1555,12 +1564,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1573,7 +1576,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index f5b94b93f3..84d624e398 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EventLogging -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -89,12 +94,6 @@ You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypte - If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -107,8 +106,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index d153f1ca58..24b04c49de 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EventViewer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -89,13 +94,8 @@ manager: dansimp This is the program that will be invoked when the user clicks the `events.asp` link. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + + ADMX Info: - GP Friendly name: *Events.asp program* @@ -160,12 +160,6 @@ ADMX Info: This specifies the command line parameters that will be passed to the `events.asp` program. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -232,13 +226,7 @@ This is the URL that will be passed to the Description area in the Event Propert Change this value if you want to use a different Web server to handle event information requests. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index be619c2c3b..c7514101dd 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_Explorer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_Explorer policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_Explorer/AdminInfoUrl @@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -86,15 +97,9 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -163,14 +174,6 @@ If you disable or do not configure this policy setting, the menu bar will not be > [!NOTE] > When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Display the menu bar in File Explorer* @@ -188,28 +191,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -226,17 +235,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -255,28 +258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -293,7 +302,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. +This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. @@ -303,12 +312,6 @@ If you disable or do not configure this policy setting, users will be able to ad > Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -327,28 +330,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross mark
      NoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -365,15 +373,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. +This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -386,6 +388,4 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 24c4aeecbe..dba6105052 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_ExternalBoot -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -98,12 +102,6 @@ This policy specifies whether the PC can use the hibernation sleep state (S4) wh -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -174,13 +172,6 @@ If you disable or do not configure this setting, Windows, when started from a Wi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace* @@ -253,13 +244,6 @@ If you do not configure this setting, users who are members of the Administrator -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Windows To Go Default Startup Options* diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 7f2635d2ab..aeb520d2ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -13,9 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileRecovery -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -34,28 +38,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -75,12 +85,7 @@ manager: dansimp > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -90,8 +95,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index a36aca27de..3f574460e8 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileRevocation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -90,12 +95,6 @@ Any other Windows Runtime application will only be able to revoke access to cont > Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the user’s access to all content protected under the contoso.com hierarchy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -108,8 +107,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 2896e4cc5a..416b833dea 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileServerVSSProvider -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. +This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. @@ -84,12 +95,6 @@ By default, the RPC protocol message between File Server VSS provider and File S > To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -102,8 +107,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 079c55e92e..54c474440a 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -13,13 +13,18 @@ manager: dansimp --- # Policy CSP - ADMX_FileSys -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      -## ADMX_FileSys policies +## ADMX_FileSys policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -55,28 +60,33 @@ manager: dansimp **ADMX_FileSys/DisableCompression** - - + + + - + + - + + - + + - - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark
      YesYes
      Educationcross markYesYes
      @@ -93,15 +103,10 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. +Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -119,28 +124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -157,19 +168,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. +Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notifications for all volumes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -186,28 +191,34 @@ ADMX Info: **ADMX_FileSys/DisableEncryption** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -224,15 +235,8 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -249,28 +253,34 @@ ADMX Info: **ADMX_FileSys/EnablePagefileEncryption** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -287,15 +297,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -312,28 +316,34 @@ ADMX Info: **ADMX_FileSys/LongPathsEnabled** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -350,15 +360,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -375,28 +379,34 @@ ADMX Info: **ADMX_FileSys/ShortNameCreationSettings** - - + + + - + + - + + - + + - + + - +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYes + Yes
      @@ -413,17 +423,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -441,28 +445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -479,7 +489,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: +Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: - Local Link to a Local Target - Local Link to a Remote Target @@ -492,12 +502,6 @@ For more information, refer to the Windows Help section. > If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -514,28 +518,34 @@ ADMX Info: **ADMX_FileSys/TxfDeprecatedFunctionality** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -552,15 +562,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. +TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -573,8 +578,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index ed28fb4638..9bdab22253 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_FolderRedirection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_FolderRedirection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_FolderRedirection/DisableFRAdminPin @@ -53,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -91,7 +102,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. +This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. @@ -105,12 +116,6 @@ If you disable or do not configure this policy setting, redirected shell folders > If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -128,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -166,7 +177,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default. +This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. @@ -178,12 +189,6 @@ If you disable or do not configure this policy setting, all redirected shell fol > The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -202,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -240,19 +251,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. +This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +276,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark
      YesYes
      Educationcross markYesYes
      @@ -309,7 +319,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -319,12 +329,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -343,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -381,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -391,12 +401,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -414,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -452,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -464,12 +474,6 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -487,28 +491,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -525,7 +535,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -537,12 +547,7 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -555,8 +560,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index b6c506ddd9..57354ebe62 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -13,9 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FramePanes -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -94,13 +98,7 @@ This policy setting shows or hides the Details Pane in File Explorer. This is the default policy setting. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -169,12 +167,6 @@ Hides the Preview Pane in File Explorer. - If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -186,8 +178,5 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 8790ac9ad7..7d8f37dd58 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FTHSVC -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -91,12 +96,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -110,7 +109,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 857ff5d89f..812087e3a5 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_Globalization -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_Globalization policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      ADMX_Globalization/BlockUserInputMethodsForSignIn @@ -105,28 +110,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -143,7 +154,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. +This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. @@ -152,12 +163,7 @@ If the policy is Enabled, then the user will get input methods enabled for the s If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -176,28 +182,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -214,7 +226,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -229,12 +241,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -253,28 +259,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -291,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -306,12 +318,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -330,28 +336,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -368,7 +380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel. +This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. @@ -383,12 +395,6 @@ If you disable or do not configure this policy setting, the user can see the Adm -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,28 +413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -445,7 +457,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. +This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -457,12 +469,6 @@ If you disable or do not configure this policy setting, the user sees the option > Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -481,28 +487,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -519,7 +531,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. +This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -530,12 +542,6 @@ If you enable this policy setting, the user does not see the option for changing -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -554,28 +560,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -592,7 +604,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel. +This policy setting removes the regional formats interface from the Region settings control panel. This policy setting is used only to simplify the Regional and Language Options control panel. @@ -601,12 +613,6 @@ If you enable this policy setting, the user does not see the regional formats op If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -625,28 +631,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -663,7 +675,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -684,12 +696,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -708,28 +714,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -746,7 +758,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -767,12 +779,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -791,28 +797,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -829,7 +841,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). @@ -838,12 +850,6 @@ If you enable this policy setting, administrators can select a system locale onl If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -862,28 +868,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -900,7 +912,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -911,12 +923,6 @@ If you enable this policy setting, only locales in the specified locale list can If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -935,28 +941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -973,7 +985,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -986,12 +998,6 @@ If you disable or do not configure this policy setting, users can select any loc If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1010,28 +1016,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross mark
      NoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1048,7 +1059,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users. +This policy setting restricts the Windows UI language for all users. This is a policy setting for computers with more than one UI language installed. @@ -1057,12 +1068,6 @@ If you enable this policy setting, the UI language of Windows menus and dialogs If you disable or do not configure this policy setting, the user can specify which UI language is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1081,28 +1086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1119,7 +1130,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users. +This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. @@ -1130,12 +1141,6 @@ If you disable or do not configure this policy setting, there is no restriction To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1154,28 +1159,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1192,7 +1203,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1203,12 +1214,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1227,28 +1232,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1265,7 +1276,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1276,12 +1287,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1300,28 +1305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + + >
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1338,7 +1349,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1353,12 +1364,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1377,28 +1382,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1415,7 +1426,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1430,12 +1441,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1454,28 +1459,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1492,7 +1503,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. +This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. @@ -1501,12 +1512,6 @@ To enable this policy setting in Windows Vista, use the "Restricts the UI langua If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1525,28 +1530,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1563,7 +1574,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. @@ -1573,12 +1584,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1597,28 +1602,34 @@ ADMX Info: - - + + + - + + - + + /td> - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1635,7 +1646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. @@ -1646,12 +1657,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1670,28 +1675,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1708,7 +1719,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. @@ -1718,12 +1729,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1742,28 +1747,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1780,7 +1791,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. @@ -1791,12 +1802,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1815,28 +1820,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1853,7 +1864,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years. +This policy setting determines how programs interpret two-digit years. This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. @@ -1864,12 +1875,6 @@ For example, the default value, 2029, specifies that all two-digit years less th If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1882,7 +1887,4 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index cbb70f971a..dc63616394 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_GroupPolicy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -162,28 +166,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -195,12 +205,13 @@ manager: dansimp > [!div class = "checklist"] > * Device +> * User
      -Available in the latest Windows 10 Insider Preview Build. This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. +This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. @@ -216,12 +227,7 @@ If you enable this policy setting, the behavior is exactly the same as in Window If you disable this policy setting, the behavior is the same as if it is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -240,28 +246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -278,7 +290,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when software installation policies are updated. +This policy setting determines when software installation policies are updated. This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer. @@ -291,12 +303,7 @@ The "Allow processing across a slow network connection" option updates the polic The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -315,28 +322,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -353,7 +366,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when disk quota policies are updated. +This policy setting determines when disk quota policies are updated. This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. @@ -368,12 +381,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -392,28 +400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -430,7 +444,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when encryption policies are updated. +This policy setting determines when encryption policies are updated. This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. @@ -445,12 +459,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -469,28 +478,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -507,7 +522,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when folder redirection policies are updated. +This policy setting determines when folder redirection policies are updated. This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. @@ -520,12 +535,7 @@ The "Allow processing across a slow network connection" option updates the polic The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -544,28 +554,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -582,7 +598,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when Internet Explorer Maintenance policies are updated. +This policy setting determines when Internet Explorer Maintenance policies are updated. This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance. @@ -597,12 +613,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -621,28 +632,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -659,7 +676,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when IP security policies are updated. +This policy setting determines when IP security policies are updated. This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine. @@ -674,12 +691,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -698,28 +710,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -736,7 +754,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when registry policies are updated. +This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. @@ -747,12 +765,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -771,28 +784,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -809,7 +828,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign shared scripts are updated. +This policy setting determines when policies that assign shared scripts are updated. This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. @@ -822,12 +841,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -846,28 +860,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -884,7 +904,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when security policies are updated. +This policy setting determines when security policies are updated. This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. @@ -897,12 +917,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -921,28 +936,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -959,7 +980,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wired network settings are updated. +This policy setting determines when policies that assign wired network settings are updated. This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. @@ -976,12 +997,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1000,28 +1016,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1038,7 +1060,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wireless network settings are updated. +This policy setting determines when policies that assign wireless network settings are updated. This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. @@ -1055,12 +1077,7 @@ The "Do not apply during periodic background processing" option prevents the sys The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1079,28 +1096,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1117,19 +1140,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. +This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1148,28 +1166,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1186,7 +1210,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. +This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. @@ -1202,12 +1226,7 @@ If you disable or do not configure this policy setting, interactive users can ge > This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1226,28 +1245,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1264,7 +1289,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. +This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. @@ -1280,12 +1305,7 @@ If you disable or do not configure this policy setting, interactive users can ge > This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1304,28 +1324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1342,15 +1368,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the Group Policy Client Service from stopping when idle. +This policy setting prevents the Group Policy Client Service from stopping when idle. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1369,28 +1390,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1407,7 +1434,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. +Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. @@ -1425,12 +1452,7 @@ Files will always be copied to the GPO if they have a later timestamp. > If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1449,28 +1471,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1487,7 +1515,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. +This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. @@ -1497,12 +1525,7 @@ If you disable or do not configure this policy setting, updates can be applied w > If you make changes to this policy setting, you must restart your computer for it to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1521,28 +1544,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1559,7 +1588,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. +This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. @@ -1571,12 +1600,7 @@ If you disable or do not configure this policy setting, Local GPOs continue to b > For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1595,28 +1619,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1633,13 +1663,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control a user's ability to invoke a computer policy refresh. +This policy setting allows you to control a user's ability to invoke a computer policy refresh. If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. -Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. +> [!NOTE] +> This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval. @@ -1647,12 +1678,7 @@ Also, see the "Set Group Policy refresh interval for computers" policy setting t > If you make changes to this policy setting, you must restart your computer for it to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1671,28 +1697,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1709,7 +1741,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). +This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. @@ -1718,12 +1750,7 @@ If you disable this policy setting, the Windows device is not discoverable by ot If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1742,28 +1769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1780,7 +1813,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior. +This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) @@ -1791,12 +1824,7 @@ The timeout value that is defined in this policy setting determines how long Gro If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1853,7 +1887,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. +This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) @@ -1864,12 +1898,7 @@ The timeout value that is defined in this policy setting determines how long Gro If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1888,28 +1917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1926,7 +1961,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. @@ -1935,12 +1970,7 @@ If you disable this policy setting, the Windows device is not allowed to be link If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1959,28 +1989,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1997,7 +2033,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents administrators from viewing or using Group Policy preferences. +This policy setting prevents administrators from viewing or using Group Policy preferences. A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. @@ -2011,12 +2047,7 @@ If you disable or do not configure this policy setting, the "Show Policies Only" In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2035,28 +2066,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2073,17 +2110,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. +This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2102,28 +2134,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2140,7 +2178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. +This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. If you enable this setting, you can which domain controller is used according to these options: @@ -2156,12 +2194,7 @@ If you disable this setting or do not configure it, the Group Policy Object Edit > To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2180,28 +2213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2218,7 +2257,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. +This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. @@ -2230,15 +2269,13 @@ If you disable this setting or do not configure it, the system uses the default This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. + +> [!NOTE] +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2257,28 +2294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2295,7 +2338,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. +This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. @@ -2307,15 +2350,13 @@ If you disable this setting or do not configure it, the system uses the default This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. + +> [!NOTE] +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2334,28 +2375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2372,7 +2419,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. +This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. In addition to background updates, Group Policy for the computer is always updated when the system starts. @@ -2392,12 +2439,7 @@ This setting is only used when the "Turn off background refresh of Group Policy" > Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2416,28 +2458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2454,7 +2502,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. +This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. By default, Group Policy on the domain controllers is updated every five minutes. @@ -2468,12 +2516,7 @@ This setting also lets you specify how much the actual update interval varies. T > This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2492,28 +2535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2530,7 +2579,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. +This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. In addition to background updates, Group Policy for users is always updated when users log on. @@ -2552,12 +2601,7 @@ This setting also lets you specify how much the actual update interval varies. T > Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2576,28 +2620,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2614,7 +2664,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enter “0” to disable Logon Script Delay. +Enter “0” to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. @@ -2627,12 +2677,7 @@ If you disable this policy setting, Group Policy will run scripts immediately af If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2651,28 +2696,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2689,7 +2740,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default display name for new Group Policy objects. +This policy setting allows you to set the default display name for new Group Policy objects. This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. @@ -2698,12 +2749,7 @@ The display name can contain environment variables and can be a maximum of 255 c If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2722,28 +2768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2760,19 +2812,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create new Group Policy object links in the disabled state. +This policy setting allows you to create new Group Policy object links in the disabled state. If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2791,28 +2838,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2829,7 +2882,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you always use local ADM files for the Group Policy snap-in. +This policy setting lets you always use local ADM files for the Group Policy snap-in. By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. @@ -2853,12 +2906,7 @@ If you disable or do not configure this setting, the Group Policy Object Editor > If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2877,28 +2925,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2916,7 +2970,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: +This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) Enables data execution prevention (DEP) for the child process @@ -2940,12 +2994,7 @@ For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCES Setting flags not specified here to any value other than ? results in undefined behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2964,28 +3013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3002,7 +3057,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. +This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. @@ -3014,12 +3069,7 @@ If you disable or do not configure this setting, RSoP logging is turned on. By d > To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3038,28 +3088,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3076,15 +3132,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. +Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3103,28 +3154,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3141,7 +3198,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. +This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. @@ -3153,12 +3210,7 @@ If you enable this policy, when Group Policy cannot determine the bandwidth spee If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3177,28 +3229,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3215,7 +3273,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. +This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, @@ -3232,12 +3290,7 @@ and Drive Maps preference extension will not be applied. If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3256,28 +3309,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3294,19 +3353,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. +This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3325,28 +3379,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3363,7 +3423,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. +This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. @@ -3379,12 +3439,7 @@ If you disable this setting or do not configure it, the user's Group Policy Obje > This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3397,6 +3452,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index fcdb9696af..c281c53d6b 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Help -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. +This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. @@ -92,12 +102,7 @@ If you enable this policy setting, DEP for HTML Help Executable is turned off. T If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTML Help stops if DEP detects system memory abnormalities. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -116,28 +121,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -154,7 +165,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. +This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. @@ -175,12 +186,7 @@ If you disable or do not configure this policy setting, these commands are fully For additional options, see the "Restrict these programs from being launched from Help" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -199,28 +205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -237,7 +249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. +This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -249,12 +261,7 @@ If you disable or do not configure this policy setting, users can run all applic > This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -273,28 +280,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -311,7 +324,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. +This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -322,12 +335,7 @@ If you disable or do not configure this policy setting, users can run all applic > > This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -340,8 +348,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index 15a6785034..8e79c571f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_HelpAndSupport -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,19 +93,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. +This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -152,7 +163,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can provide ratings for Help content. +This policy setting specifies whether users can provide ratings for Help content. If you enable this policy setting, ratings controls are not added to Help content. @@ -161,12 +172,7 @@ If you disable or do not configure this policy setting, ratings controls are add Users can use the control to provide feedback on the quality and usefulness of the Help and Support content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -184,28 +190,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -222,19 +234,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. +This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in the Help Experience Improvement program. If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -253,28 +260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -291,19 +304,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. +This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -316,8 +324,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 17e85306fc..23fdd62c9a 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_HotSpotAuth -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -90,12 +95,6 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern - If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -109,7 +108,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index eecfadc85d..20e245b182 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_ICM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -111,28 +115,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -149,7 +159,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. +This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. @@ -158,12 +168,7 @@ If you disable this policy setting, all users are opted into the Windows Custome If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -182,28 +187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -220,7 +231,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to automatically update root certificates using the Windows Update website. +This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. @@ -229,12 +240,7 @@ If you enable this policy setting, when you are presented with a certificate iss If you disable or do not configure this policy setting, your computer will contact the Windows Update website. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -253,28 +259,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -291,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow printing over HTTP from this client. +This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. @@ -303,12 +315,7 @@ If you enable this policy setting, it prevents this client from printing to Inte If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -327,28 +334,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -365,7 +378,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow this client to download print driver packages over HTTP. +This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. @@ -379,12 +392,7 @@ If you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -403,28 +411,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -441,7 +455,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. +This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. If you enable this policy setting, Windows Update is not searched when a new device is installed. @@ -455,12 +469,7 @@ Also see "Turn off Windows Update device driver search prompt" in "Administrativ > This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -517,7 +532,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. +This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. @@ -528,12 +543,7 @@ If you disable or do not configure this policy setting, the user can click the h Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -552,28 +562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -590,7 +606,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. +This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. @@ -601,12 +617,7 @@ If you disable or do not configure this policy setting, the Help and Support Cen You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -625,28 +636,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -663,7 +680,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. +This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. @@ -672,12 +689,7 @@ If you enable this policy setting, it removes the Knowledge Base section from th If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -696,28 +708,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -734,7 +752,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. +This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. @@ -743,12 +761,7 @@ If you disable this policy setting, all of the the policy settings listed in the If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -767,28 +780,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -805,7 +824,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. +This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. @@ -813,12 +832,7 @@ If you disable this policy setting, all of the the policy settings listed in the If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -837,28 +851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -875,19 +895,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). +This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -906,28 +921,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -944,7 +965,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. +This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. @@ -953,12 +974,7 @@ If you disable or do not configure this policy setting, users can connect to Mic Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -977,28 +993,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1015,7 +1037,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not errors are reported to Microsoft. +This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. @@ -1028,12 +1050,7 @@ This policy setting overrides any user setting made from the Control Panel for e Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1052,28 +1069,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1090,7 +1113,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to Windows Update. +This policy setting allows you to remove access to Windows Update. If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. @@ -1100,12 +1123,7 @@ If you disable or do not configure this policy setting, users can access the Win > This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1124,28 +1142,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1162,7 +1186,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. +This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. @@ -1174,12 +1198,7 @@ If you disable or do not configure this policy setting, Search Companion downloa > Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1198,28 +1217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1236,7 +1261,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. +This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. @@ -1245,12 +1270,7 @@ If you enable this policy setting, the link and the dialog for using the Web ser If you disable or do not configure this policy setting, the user is allowed to use the Web service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1269,28 +1289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1307,7 +1333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. +This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. @@ -1316,12 +1342,7 @@ If you enable this policy setting, the link and the dialog for using the Web ser If you disable or do not configure this policy setting, the user is allowed to use the Web service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1340,28 +1361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1378,7 +1405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. +This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. @@ -1387,12 +1414,7 @@ If you enable this policy setting, the "Look for an app in the Store" item in th If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1411,28 +1433,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1449,7 +1477,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. +This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. @@ -1458,12 +1486,7 @@ If you enable this policy setting, the "Look for an app in the Store" item in th If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1482,28 +1505,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1520,7 +1549,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. +This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. @@ -1529,12 +1558,7 @@ If you disable or do not configure this policy setting, a list of providers are See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1553,28 +1577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1591,19 +1621,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. +This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. If you disable or do not configure this policy setting, the task is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1622,28 +1647,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1660,7 +1691,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. +This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. @@ -1669,12 +1700,7 @@ If you enable this policy setting, the task "Order Prints Online" is removed fro If you disable or do not configure this policy setting, the task is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1693,28 +1719,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1731,19 +1763,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. +This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1762,28 +1789,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1800,7 +1833,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. +This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. @@ -1809,12 +1842,7 @@ If you enable this policy setting, these tasks are removed from the File and Fol If you disable or do not configure this policy setting, the tasks are shown. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1833,28 +1861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1871,7 +1905,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. @@ -1882,12 +1916,7 @@ If you enable this policy setting, Windows Messenger does not collect usage info If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1906,28 +1935,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1944,7 +1979,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. @@ -1957,12 +1992,7 @@ If you disable this policy setting, Windows Messenger collects anonymous usage i If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1975,8 +2005,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index 7516b56b97..6cda2222f1 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_IIS -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -88,12 +93,7 @@ Enabling this setting will not have any effect on IIS if IIS is already installe - If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -107,7 +107,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md new file mode 100644 index 0000000000..f26e77cac0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -0,0 +1,249 @@ +--- +title: Policy CSP - ADMX_iSCSI +description: Policy CSP - ADMX_iSCSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_iSCSI + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_iSCSI policies + +
      +
      + ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
      +
      + ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
      +
      + ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
      +
      + + +
      + + +**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + +If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of iSNS servers* +- GP name: *iSCSIGeneral_RestrictAdditionalLogins* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
      + + +**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of target portals* +- GP name: *iSCSIGeneral_ChangeIQNName* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
      + + +**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +If enabled then do not allow the initiator CHAP secret to be changed. + +If disabled then the initiator CHAP secret may be changed. + + + + + +ADMX Info: +- GP English name: *Do not allow changes to initiator CHAP secret* +- GP name: *iSCSISecurity_ChangeCHAPSecret* +- GP path: *System\iSCSI\iSCSI Security* +- GP ADMX file name: *iSCSI.admx* + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 76d11f5aa4..1309460a63 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_kdc -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -51,28 +55,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -89,7 +99,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. +This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. @@ -123,12 +133,7 @@ Impact on domain controller performance when this policy setting is enabled: - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -147,28 +152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -185,7 +196,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). +This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. @@ -194,12 +205,7 @@ If you disable or do not configure this policy setting, the KDC will not search To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -218,28 +224,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -256,7 +268,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. +Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. @@ -269,12 +281,7 @@ Required: PKInit Freshness Extension is required for successful authentication. If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -293,28 +300,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -331,7 +344,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to request compound authentication. +This policy setting allows you to configure a domain controller to request compound authentication. > [!NOTE] > For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. @@ -341,12 +354,7 @@ If you enable this policy setting, domain controllers will request compound auth If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -365,28 +373,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -403,19 +417,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. +This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -434,28 +443,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -472,7 +487,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the domain controller provides information about previous logons to client computers. +This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting, the domain controller provides the information message about previous logons. @@ -484,12 +499,7 @@ If you disable or do not configure this policy setting, the domain controller do > Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -502,8 +512,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 0546c527b2..0546f3e781 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Kerberos -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -57,28 +61,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -95,7 +105,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. +This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. > [!NOTE] > For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. @@ -105,12 +115,7 @@ If you enable this policy setting and the resource domain requests compound auth If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -129,28 +134,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -167,7 +178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. +Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. @@ -181,12 +192,7 @@ If you disable this policy setting, certificates will never be used. If you do not configure this policy setting, Automatic will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -205,28 +211,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -243,7 +255,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. +This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. @@ -252,12 +264,7 @@ If you disable this policy setting, the host name-to-Kerberos realm mappings lis If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -276,28 +283,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -314,7 +327,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. +This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. @@ -322,12 +335,7 @@ Warning: When revocation check is ignored, the server represented by the certifi If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -346,28 +354,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -384,19 +398,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. +This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -415,28 +424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -453,7 +468,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. +This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. @@ -462,12 +477,7 @@ If you disable this policy setting, the interoperable Kerberos V5 realm settings If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -486,28 +496,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -524,7 +540,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication. +This policy setting controls configuring the device's Active Directory account for compound authentication. Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. @@ -539,12 +555,7 @@ If you disable this policy setting, Never will be used. If you do not configure this policy setting, Automatic will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -563,28 +574,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -601,19 +618,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. +This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -625,7 +637,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index e8d00a28cb..67a94e4f64 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_LanmanServer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB server. +This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. @@ -106,12 +116,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in > When configuring this security setting, changes will not take effect until you restart Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -134,28 +139,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -172,7 +183,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. +This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configuration @@ -189,12 +200,7 @@ In circumstances where this policy setting is enabled, you can also select the f - Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -217,28 +223,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -255,7 +267,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. +This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. @@ -276,12 +288,7 @@ Hash version supported: - To support both V1 and V2 content information, configure "Hash version supported" with the value of 3. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -300,28 +307,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -338,7 +351,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. +This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. @@ -348,12 +361,7 @@ If you disable or do not configure this policy setting, the SMB server will sele > When configuring this security setting, changes will not take effect until you restart Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -366,8 +374,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index ac60e3f522..73350f7d43 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_LanmanWorkstation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB client. +This policy setting determines the cipher suites used by the SMB client. If you enable this policy setting, cipher suites are prioritized in the order specified. @@ -108,12 +118,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in > When configuring this security setting, changes will not take effect until you restart Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -132,28 +137,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -170,7 +181,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. +This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. @@ -180,12 +191,7 @@ If you disable or do not configure this policy setting, Windows will prevent use > This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -204,28 +210,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -242,7 +254,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. +This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. @@ -252,12 +264,7 @@ If you disable or do not configure this policy setting, Windows will prevent use > Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -270,7 +277,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index 23ab94d3d1..fbaa926485 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -13,9 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_LeakDiagnostic -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -96,12 +100,7 @@ The DPS can be configured with the Services snap-in to the Microsoft Management > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -116,8 +115,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 146ad0388c..f14f7c780e 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_LinkLayerTopologyDiscovery -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +43,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,7 +87,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Mapper I/O network protocol driver. +This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. @@ -86,12 +96,7 @@ If you enable this policy setting, additional options are available to fine-tune If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -148,7 +159,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Responder network protocol driver. +This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. @@ -157,12 +168,7 @@ If you enable this policy setting, additional options are available to fine-tune If you disable or do not configure this policy setting, the default behavior for the Responder will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -175,8 +181,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 68442eff39..186c87c708 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Logon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -78,28 +82,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -116,19 +126,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy prevents the user from showing account details (email address or user name) on the sign-in screen. +This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -147,28 +152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -185,19 +196,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the acrylic blur effect on logon background image. +This policy setting disables the acrylic blur effect on logon background image. If you enable this policy, the logon background image shows without blur. If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -216,28 +222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -254,13 +266,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. +This policy setting ignores the customized run list. -You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. - -If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. - -If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. +These programs are added to the standard run list of programs and services that the system starts. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. @@ -268,12 +276,7 @@ This policy setting appears in the Computer Configuration and User Configuration > To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -292,28 +295,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -330,13 +339,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. +This policy setting ignores the customized run list. -You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. - -If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. - -If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. +These programs are added to the standard run list of programs and services that the system starts. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. @@ -344,12 +349,7 @@ This policy setting appears in the Computer Configuration and User Configuration > To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -368,28 +368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -406,7 +412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. +This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. @@ -420,12 +426,7 @@ This policy setting appears in the Computer Configuration and User Configuration > Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -444,28 +445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -482,7 +489,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. +This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. @@ -496,12 +503,7 @@ This policy setting appears in the Computer Configuration and User Configuration > Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -520,28 +522,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -558,19 +566,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting suppresses system status messages. +This policy setting suppresses system status messages. If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -589,28 +592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -627,19 +636,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents connected users from being enumerated on domain-joined computers. +This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -658,28 +662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -696,7 +706,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. +This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. @@ -704,7 +714,7 @@ Users can still display the welcome screen by selecting it on the Start menu or If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. -This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. +This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -713,12 +723,7 @@ This setting applies only to Windows 2000 Professional. It does not affect the " > To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -738,28 +743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -776,13 +787,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. +This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. -If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -791,12 +802,7 @@ If you disable or do not configure this policy, the welcome screen is displayed > To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -815,28 +821,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -853,7 +865,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. @@ -867,12 +879,7 @@ If you disable or do not configure this policy setting, the user will have to st Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -929,7 +942,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. @@ -944,12 +957,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -968,28 +976,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1006,7 +1020,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. +This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. @@ -1031,12 +1045,7 @@ If you disable or do not configure this policy setting and users log on to a cli > - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1055,28 +1064,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1093,19 +1108,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting ignores Windows Logon Background. +This policy setting ignores Windows Logon Background. This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1124,28 +1134,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1162,7 +1178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to display highly detailed status messages. +This policy setting directs the system to display highly detailed status messages. This policy setting is designed for advanced users who require this information. @@ -1174,12 +1190,7 @@ If you disable or do not configure this policy setting, only the default status > This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1192,8 +1203,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index aa27ba10da..e5b1bcf653 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MicrosoftDefenderAntivirus -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -312,28 +316,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -350,19 +360,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. +This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware service will load as a normal priority task. If you disable this setting, the antimalware service will load as a low priority task. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -381,28 +386,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -419,7 +430,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus. +This policy setting turns off Microsoft Defender Antivirus. If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. @@ -430,12 +441,7 @@ If you do not configure this policy setting, Windows will internally manage Micr Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -454,28 +460,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -492,7 +504,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. +Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Disabled (Default): Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. @@ -504,12 +516,7 @@ Not configured: Same as Disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -566,12 +579,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. +This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. Enabled – The Block at First Sight setting is turned on. Disabled – The Block at First Sight setting is turned off. -This feature requires these Group Policy settings to be set as follows: +This feature requires these Policy settings to be set as follows: - MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function. - MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function. @@ -579,12 +592,7 @@ This feature requires these Group Policy settings to be set as follows: - Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -603,28 +611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -641,19 +655,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. +This policy setting controls whether or not complex list settings configured by a local administrator are merged with Policy settings. This setting applies to lists such as threats and Exclusions. -If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. +If you enable or do not configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Policy Settings will override preference settings. -If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. +If you disable this setting, only items defined by Policy will be used in the resulting effective policy. Policy settings will override preference settings configured by the local administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -672,28 +681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -710,7 +725,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection. +This policy setting turns off real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. @@ -719,12 +734,7 @@ If you enable this policy setting, Microsoft Defender Antivirus will not prompt If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -743,28 +753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -781,19 +797,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. +This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -812,28 +823,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -850,15 +867,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. +This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -877,28 +889,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -915,17 +933,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. +This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -944,28 +957,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -982,15 +1001,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. +This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1009,28 +1023,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1047,7 +1067,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules. +Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. @@ -1065,12 +1085,7 @@ Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1089,28 +1104,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1127,7 +1148,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule. +Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: @@ -1161,12 +1182,7 @@ Same as Disabled. You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1185,28 +1201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1223,7 +1245,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access. +Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. @@ -1243,12 +1265,7 @@ You can enable controlled folder access in the Configure controlled folder acces Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1267,28 +1284,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1305,7 +1328,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature. +Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. @@ -1326,12 +1349,7 @@ You can enable controlled folder access in the Configure controlled folder acces Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1350,28 +1368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1388,7 +1412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature. +Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will compute hash value for files it scans. @@ -1400,12 +1424,7 @@ Not configured: Same as Disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1424,28 +1443,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1462,19 +1487,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. +This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. If you enable or do not configure this setting, definition retirement will be enabled. If you disable this setting, definition retirement will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1493,28 +1513,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1531,15 +1557,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0. +This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1558,28 +1579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1596,19 +1623,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. +This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recognition will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1627,28 +1649,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1665,19 +1693,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. +This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed for the specified addresses. If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1696,28 +1719,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1734,7 +1763,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): +This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) @@ -1747,12 +1776,7 @@ If you enable this setting, the proxy setting will be set to use the specified p If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1771,28 +1795,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1809,7 +1839,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): +This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) @@ -1822,12 +1852,7 @@ If you enable this setting, the proxy will be set to the specified URL according If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1846,28 +1871,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1884,19 +1915,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1915,28 +1941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1953,19 +1985,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. +This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1984,28 +2011,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2022,19 +2055,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. +This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. If you disable this setting, scheduled tasks will begin at the specified start time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2053,28 +2081,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2091,19 +2125,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring. +This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2122,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2160,19 +2195,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments. +This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2191,28 +2221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2229,19 +2265,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity. +This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file and program activity will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2260,28 +2291,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2298,19 +2335,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring. +This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notifications be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2329,28 +2361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2367,19 +2405,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. +This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. If you disable this setting, a process scan will not be initiated when real-time protection is turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2398,28 +2431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2436,19 +2475,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. +This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. If you disable or do not configure this setting, a default size will be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2467,28 +2501,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2505,19 +2545,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2536,28 +2571,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2574,19 +2615,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2605,28 +2641,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2643,19 +2685,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2674,28 +2711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2712,19 +2755,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2743,28 +2781,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2781,19 +2825,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2812,28 +2851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2850,19 +2895,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2881,28 +2921,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2919,7 +2965,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. +This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: @@ -2938,12 +2984,7 @@ If you enable this setting, a scheduled full scan to complete remediation will r If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2962,28 +3003,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3000,19 +3047,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. +This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3031,28 +3073,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3069,15 +3117,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. +This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3096,28 +3139,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3134,15 +3183,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. +This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3161,28 +3205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3199,19 +3249,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. +Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3229,28 +3274,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3267,19 +3318,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent. +This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3298,28 +3344,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3336,15 +3388,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. +This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3361,28 +3408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3399,15 +3452,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. +This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3426,28 +3474,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3464,15 +3518,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components. +This policy configures Windows software trace preprocessor (WPP Software Tracing) components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3491,28 +3540,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3529,7 +3584,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). +This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as: @@ -3539,12 +3594,7 @@ Tracing levels are defined as: - 4 - Debug -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3563,28 +3613,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3601,19 +3657,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress. +This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to pause scans. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3632,28 +3683,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3670,19 +3727,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. +This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scanned to the directory depth level specified. If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3701,28 +3753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3739,19 +3797,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. +This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. If you enable this setting, archive files less than or equal to the size specified will be scanned. If you disable or do not configure this setting, archive files will be scanned according to the default value. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3771,28 +3824,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3809,19 +3868,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be scanned. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3840,28 +3894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3878,19 +3938,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). +This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). If you enable this setting, e-mail scanning will be enabled. If you disable or do not configure this setting, e-mail scanning will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3909,28 +3964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3947,19 +4008,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. +This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you enable or do not configure this setting, heuristics will be enabled. If you disable this setting, heuristics will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3978,28 +4034,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4016,19 +4078,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. +This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executables will not be scanned. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4047,28 +4104,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4085,19 +4148,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. +This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4116,28 +4174,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4154,19 +4218,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. +This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. If you enable this setting, reparse point scanning will be enabled. If you disable or do not configure this setting, reparse point scanning will be disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4185,28 +4244,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4223,19 +4288,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. +This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4253,28 +4313,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4291,19 +4357,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives. +This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4322,28 +4383,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4360,19 +4427,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. +This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4391,28 +4453,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4429,19 +4497,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4460,28 +4523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4498,19 +4567,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4529,28 +4593,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4567,19 +4637,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4598,28 +4663,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4636,19 +4707,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4667,28 +4733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4705,19 +4777,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. +This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4736,28 +4803,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4774,19 +4847,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans. +This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting, low CPU priority will be used during scheduled scans. If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4805,28 +4873,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4843,19 +4917,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. +This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4874,28 +4943,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4912,19 +4987,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. +This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. If you enable this setting, items will be removed from the scan history folder after the number of days specified. If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4943,28 +5013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4981,19 +5057,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. +This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. If you enable this setting, a quick scan will run at the interval specified. If you disable or do not configure this setting, a quick scan will run at a default time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5012,28 +5083,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5050,19 +5127,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. +This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. If you disable this setting, scheduled scans will run at the scheduled time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5081,28 +5153,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5119,7 +5197,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. +This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: @@ -5138,12 +5216,7 @@ If you enable this setting, a scheduled scan will run at the frequency specified If you disable or do not configure this setting, a scheduled scan will run at a default frequency. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5162,28 +5235,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5200,19 +5279,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. +This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a scheduled scan will run at the time of day specified. If you disable or do not configure this setting, a scheduled scan will run at a default time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5231,28 +5305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5269,19 +5349,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. +This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5300,28 +5375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5338,19 +5419,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5369,28 +5445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5407,19 +5489,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5438,28 +5515,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5476,19 +5559,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. +This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5507,28 +5585,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5545,19 +5629,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. +This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. If you enable or do not configure this setting, a scan will start following a security intelligence update. If you disable this setting, a scan will not start following a security intelligence update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5576,28 +5655,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5614,19 +5699,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power. +This policy setting allows you to configure security intelligence updates when the computer is running on battery power. If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5645,28 +5725,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5683,19 +5769,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. +This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5714,28 +5795,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5752,7 +5839,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } @@ -5761,12 +5848,7 @@ If you enable this setting, security intelligence update sources will be contact If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5785,28 +5867,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5823,19 +5911,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. +This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5854,28 +5937,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5892,19 +5981,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. +This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. If you enable or do not configure this setting, real-time security intelligence updates will be enabled. If you disable this setting, real-time security intelligence updates will disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5923,28 +6007,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5961,7 +6051,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. +This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: @@ -5980,12 +6070,7 @@ If you enable this setting, the check for security intelligence updates will occ If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6004,28 +6089,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6042,19 +6133,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. +This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. If you enable this setting, the check for security intelligence updates will occur at the time of day specified. If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6073,28 +6159,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6111,17 +6203,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers. +This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configure this setting, security intelligence will be referred from the default local source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6140,28 +6227,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6178,19 +6271,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. +This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6209,28 +6297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6247,19 +6341,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. +This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6278,28 +6367,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6316,19 +6411,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. +This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. If you enable this setting, a check for new security intelligence will occur after service startup. If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6347,28 +6437,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6385,7 +6481,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. +This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. @@ -6406,12 +6502,7 @@ If you disable or do not configure this setting, you will not join Microsoft MAP In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6430,28 +6521,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6468,19 +6565,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Policy. -If you enable this setting, the local preference setting will take priority over Group Policy. +If you enable this setting, the local preference setting will take priority over Policy. -If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. +If you disable or do not configure this setting, Policy will take priority over the local preference setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6500,28 +6592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6538,7 +6636,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. +This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. Valid remediation action values are: @@ -6547,12 +6645,7 @@ Valid remediation action values are: - 6 = Ignore -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6571,28 +6664,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6609,19 +6708,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. +This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. If you enable this setting, the additional text specified will be displayed. If you disable or do not configure this setting, there will be no additional text displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6640,28 +6734,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6678,19 +6778,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. +Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6709,28 +6804,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6747,17 +6848,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). +This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). If you enable this setting AM UI won't show reboot notifications. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6776,28 +6872,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6814,17 +6916,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users. +This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won't be available to users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6837,8 +6934,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 05474b42bb..00d29f8ddb 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MMC -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -48,28 +52,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -86,7 +96,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. +This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -103,12 +113,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -127,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -165,7 +176,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. +This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -182,12 +193,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -206,28 +212,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -244,7 +256,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. +This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -261,12 +273,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -285,28 +292,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -323,7 +336,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from entering author mode. +This policy setting prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. @@ -334,12 +347,7 @@ This setting permits users to open MMC user-mode console files, such as those on If you disable this setting or do not configure it, users can enter author mode and open author-mode console files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -358,28 +366,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -396,7 +410,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. +This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. - If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. @@ -412,12 +426,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -430,8 +439,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index c628cc0a3f..0a7761776b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MMCSnapins -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -345,28 +349,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -383,27 +393,22 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited. It cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. +When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -422,28 +427,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -460,27 +471,22 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited. It cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. +When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -500,28 +506,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -538,7 +550,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -553,12 +565,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -578,28 +585,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -616,7 +629,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -631,12 +644,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -656,28 +664,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -694,7 +708,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -709,12 +723,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -734,28 +743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -772,7 +787,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -787,12 +802,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -812,28 +822,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -850,7 +866,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -862,15 +878,10 @@ If this policy setting is not configured, the setting of the "Restrict users to - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. +When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -890,28 +901,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -928,9 +945,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. @@ -943,12 +960,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -968,28 +980,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1006,7 +1024,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1021,12 +1039,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1046,28 +1059,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1084,7 +1103,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1099,12 +1118,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1124,28 +1138,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1162,7 +1182,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1177,12 +1197,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1202,28 +1217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1240,7 +1261,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1254,12 +1275,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1279,28 +1295,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1317,7 +1339,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1331,12 +1353,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1356,28 +1373,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1394,7 +1417,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1408,12 +1431,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1433,28 +1451,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1471,7 +1495,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1485,12 +1509,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1510,28 +1529,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1548,7 +1573,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1562,12 +1587,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1587,28 +1607,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1625,7 +1651,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1639,12 +1665,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1664,28 +1685,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1702,7 +1729,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1716,12 +1743,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1741,28 +1763,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1779,7 +1807,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1793,12 +1821,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1818,28 +1841,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1856,7 +1885,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1870,12 +1899,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1895,28 +1919,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1933,7 +1963,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1947,12 +1977,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1972,28 +1997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2010,7 +2041,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2024,12 +2055,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2049,28 +2075,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2087,7 +2119,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2101,12 +2133,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2126,28 +2153,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2164,7 +2197,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2178,12 +2211,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2203,28 +2231,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2241,7 +2275,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2255,12 +2289,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2280,28 +2309,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2318,7 +2353,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2332,12 +2367,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2357,28 +2387,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2395,7 +2431,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2409,12 +2445,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2434,28 +2465,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2472,7 +2509,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2486,12 +2523,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2511,28 +2543,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2549,7 +2587,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2563,12 +2601,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2589,28 +2622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2627,7 +2666,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2641,12 +2680,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2666,28 +2700,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2704,7 +2744,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2718,12 +2758,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2743,28 +2778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2781,7 +2822,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2795,12 +2836,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2820,28 +2856,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2858,7 +2900,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2872,12 +2914,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2897,28 +2934,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2935,7 +2978,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2949,12 +2992,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2974,28 +3012,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3012,7 +3056,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3026,12 +3070,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3051,28 +3090,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3089,7 +3134,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3103,12 +3148,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3128,28 +3168,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3166,7 +3212,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3180,12 +3226,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3205,28 +3246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3243,7 +3290,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. +This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. @@ -3259,12 +3306,7 @@ To explicitly prohibit use of the Group Policy tab, disable this setting. If thi When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3284,28 +3326,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3322,7 +3370,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3336,12 +3384,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3361,28 +3404,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3399,7 +3448,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3413,12 +3462,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3438,28 +3482,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3476,7 +3526,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3490,12 +3540,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3515,28 +3560,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3553,7 +3604,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3567,12 +3618,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3592,28 +3638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3630,7 +3682,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3644,12 +3696,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3669,28 +3716,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3707,7 +3760,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3721,12 +3774,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3746,28 +3794,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3784,7 +3838,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3798,12 +3852,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3823,28 +3872,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3861,7 +3916,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3875,12 +3930,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3900,28 +3950,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3938,7 +3994,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3952,12 +4008,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3977,28 +4028,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4015,7 +4072,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4029,12 +4086,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4054,28 +4106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4092,7 +4150,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4106,12 +4164,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4131,28 +4184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4169,7 +4228,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4183,12 +4242,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4208,28 +4262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4246,7 +4306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4260,12 +4320,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4285,28 +4340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4323,7 +4384,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4337,12 +4398,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4362,28 +4418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4400,7 +4462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4414,12 +4476,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4439,28 +4496,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4477,7 +4540,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4491,12 +4554,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4516,28 +4574,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4554,7 +4618,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4568,12 +4632,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4593,28 +4652,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4631,7 +4696,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4645,12 +4710,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4670,28 +4730,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4708,7 +4774,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4722,12 +4788,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4747,28 +4808,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4785,7 +4852,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4799,12 +4866,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4824,28 +4886,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4862,7 +4930,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4876,12 +4944,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4901,28 +4964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4939,7 +5008,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4953,12 +5022,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4978,28 +5042,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5016,7 +5086,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5030,12 +5100,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5055,28 +5120,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5093,7 +5164,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5107,12 +5178,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5132,28 +5198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5170,7 +5242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5184,12 +5256,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5209,28 +5276,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5247,7 +5320,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5261,12 +5334,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5286,28 +5354,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5324,7 +5398,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5338,12 +5412,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5363,28 +5432,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5401,7 +5476,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5415,12 +5490,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5440,28 +5510,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5478,7 +5554,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5492,12 +5568,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5517,28 +5588,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5555,7 +5632,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5569,12 +5646,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5594,28 +5666,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5632,7 +5710,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5646,12 +5724,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5671,28 +5744,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5709,7 +5788,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5723,12 +5802,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5748,28 +5822,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5786,7 +5866,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5800,12 +5880,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5825,28 +5900,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5863,7 +5944,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5877,12 +5958,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5902,28 +5978,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5940,7 +6022,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5954,12 +6036,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5979,28 +6056,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6017,7 +6100,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6031,12 +6114,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6056,28 +6134,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6094,7 +6178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6108,12 +6192,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6133,28 +6212,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6171,7 +6256,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6185,12 +6270,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6210,28 +6290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6248,7 +6334,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6262,12 +6348,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6287,28 +6368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6325,7 +6412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6339,12 +6426,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6364,28 +6446,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6402,7 +6490,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6416,12 +6504,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6441,28 +6524,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6479,7 +6568,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6493,12 +6582,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6518,28 +6602,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6556,7 +6646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6570,12 +6660,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6595,28 +6680,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6633,7 +6724,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6647,12 +6738,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6672,28 +6758,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6710,7 +6802,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6724,12 +6816,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6749,28 +6836,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6787,7 +6880,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6801,12 +6894,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6826,28 +6914,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6864,7 +6958,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6878,12 +6972,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6903,28 +6992,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6941,7 +7036,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6955,12 +7050,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6980,28 +7070,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7018,7 +7114,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7032,12 +7128,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7057,28 +7148,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7095,7 +7192,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7109,12 +7206,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7134,28 +7226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7172,7 +7270,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7186,12 +7284,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7211,28 +7304,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7249,7 +7348,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7263,12 +7362,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7288,28 +7382,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7326,7 +7426,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7340,12 +7440,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7365,28 +7460,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7403,7 +7504,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7417,12 +7518,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7442,28 +7538,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7480,7 +7582,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7494,12 +7596,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7519,28 +7616,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7557,7 +7660,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7571,12 +7674,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7596,28 +7694,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7634,7 +7738,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7648,12 +7752,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7673,28 +7772,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7711,7 +7816,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7725,12 +7830,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7750,28 +7850,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7788,7 +7894,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7802,12 +7908,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7827,28 +7928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7865,7 +7972,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7879,12 +7986,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7904,28 +8006,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7942,7 +8050,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7956,12 +8064,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7981,28 +8084,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8019,7 +8128,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8033,12 +8142,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8058,28 +8162,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8096,7 +8206,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8110,12 +8220,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8135,28 +8240,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8173,7 +8284,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8187,12 +8298,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8212,28 +8318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8250,7 +8362,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8264,12 +8376,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8289,28 +8396,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8327,7 +8440,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8341,12 +8454,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8366,28 +8474,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8404,7 +8518,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. +This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8418,12 +8532,7 @@ If this policy setting is not configured, the setting of the "Restrict users to When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8435,7 +8544,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md new file mode 100644 index 0000000000..ee4176f585 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -0,0 +1,184 @@ +--- +title: Policy CSP - ADMX_MobilePCMobilityCenter +description: Policy CSP - ADMX_MobilePCMobilityCenter +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MobilePCMobilityCenter + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_MobilePCMobilityCenter policies + +
      +
      + ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 +
      +
      + ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 +
      +
      + + +
      + + +**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting turns off Windows Mobility Center. +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. + +- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. + +If you do not configure this policy setting, Windows Mobility Center is on by default. + + + + + +ADMX Info: +- GP Friendly name: *Turn off Windows Mobility Center* +- GP name: *MobilityCenterEnable_1* +- GP path: *Windows Components\Windows Mobility Center* +- GP ADMX file name: *MobilePCMobilityCenter.admx* + + + +
      + + +**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting turns off Windows Mobility Center. +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. + +- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. + +If you do not configure this policy setting, Windows Mobility Center is on by default. + + + + + +ADMX Info: +- GP Friendly name: *Turn off Windows Mobility Center* +- GP name: *MobilityCenterEnable_2* +- GP path: *Windows Components\Windows Mobility Center* +- GP ADMX file name: *MobilePCMobilityCenter.admx* + + +
      + + + diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md new file mode 100644 index 0000000000..afa84fef27 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -0,0 +1,195 @@ +--- +title: Policy CSP - ADMX_MobilePCPresentationSettings +description: Policy CSP - ADMX_MobilePCPresentationSettings +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MobilePCPresentationSettings + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_MobilePCPresentationSettings policies + +
      +
      + ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 +
      +
      + ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 +
      +
      + +
      + + + +**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting turns off Windows presentation settings. + +- If you enable this policy setting, Windows presentation settings cannot be invoked. + +- If you disable this policy setting, Windows presentation settings can be invoked. + +The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. + +> [!NOTE] +> Users will be able to customize their system settings for presentations in Windows Mobility Center. +If you do not configure this policy setting, Windows presentation settings can be invoked. + + + + + + +ADMX Info: +- GP Friendly name: *Turn off Windows presentation settings* +- GP name: *PresentationSettingsEnable_1* +- GP path: *Windows Components\Presentation Settings* +- GP ADMX file name: *MobilePCPresentationSettings.admx* + + + +
      + + +**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting turns off Windows presentation settings. + +- If you enable this policy setting, Windows presentation settings cannot be invoked. + +- If you disable this policy setting, Windows presentation settings can be invoked. + +The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. + +> [!NOTE] +> Users will be able to customize their system settings for presentations in Windows Mobility Center. +If you do not configure this policy setting, Windows presentation settings can be invoked. + + + + + +ADMX Info: +- GP Friendly name: *Turn off Windows presentation settings* +- GP name: *PresentationSettingsEnable_2* +- GP path: *Windows Components\Presentation Settings* +- GP ADMX file name: *MobilePCPresentationSettings.admx* + + +
      + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 99d423e98d..bbfc911a48 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MSAPolicy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. @@ -83,12 +93,7 @@ It is recommended to enable this setting before any user signs in to a device to By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +106,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 0264d6cb1d..ffe5ed4a17 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_msched -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +43,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,19 +87,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. +This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -108,28 +113,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -146,7 +157,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation random delay. +This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. @@ -157,12 +168,7 @@ If you do not configure this policy setting, 4 hour random delay will be applied If you disable this policy setting, no random delay will be applied to Automatic Maintenance. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -176,8 +182,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index a8bf9c9ad2..68f48c21ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MSDT -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. +This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. @@ -93,12 +103,7 @@ If you do not configure this policy setting, MSDT support mode is enabled by def No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -117,28 +122,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -155,7 +166,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. +This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. @@ -180,12 +191,7 @@ When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -204,28 +210,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -242,7 +254,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Microsoft Support Diagnostic Tool. +This policy setting determines the execution level for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. @@ -255,12 +267,7 @@ No reboots or service restarts are required for this policy setting to take effe This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -273,8 +280,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index 0970c6a14e..b27f5623cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_MSI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -104,28 +108,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -142,7 +152,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to search for installation files during privileged installations. +This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. @@ -153,12 +163,7 @@ This policy setting does not affect installations that run in the user's securit If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -178,28 +183,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -216,7 +227,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to install programs from removable media during privileged installations. +This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. @@ -227,12 +238,7 @@ If you disable or do not configure this policy setting, by default, users can in Also, see the "Prevent removable media source for any install" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -252,28 +258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -290,7 +302,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to patch elevated products. +This policy setting allows users to patch elevated products. If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. @@ -298,12 +310,7 @@ If you disable or do not configure this policy setting, by default, only system This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -323,28 +330,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -361,7 +374,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. +This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. @@ -374,12 +387,7 @@ If you enable this policy setting, you can use the options in the Prohibit Use o If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -399,28 +407,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -437,7 +451,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from searching for installation files when they add features or components to an installed program. +This policy setting prevents users from searching for installation files when they add features or components to an installed program. If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. @@ -450,12 +464,7 @@ This policy setting affects Windows Installer only. It does not prevent users fr Also, see the "Enable user to browse for source while elevated" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -475,28 +484,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -513,19 +528,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off all patch optimizations. +This policy setting controls the ability to turn off all patch optimizations. If you enable this policy setting, all Patch Optimization options are turned off during the installation. If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -545,28 +555,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -583,7 +599,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. +This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. @@ -594,12 +610,7 @@ If you enable this policy setting, you can use the options in the Disable loggin If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -619,28 +630,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -657,11 +674,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the use of Windows Installer. +This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. -- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. +- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. - The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. @@ -670,12 +687,7 @@ If you enable this policy setting, you can prevent users from installing softwar This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -695,28 +707,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -733,7 +751,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from installing any programs from removable media. +This policy setting prevents users from installing any programs from removable media. If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. @@ -744,12 +762,7 @@ If you disable or do not configure this policy setting, users can install from r Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -769,28 +782,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -807,7 +826,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Windows Installer to install patches. +This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. @@ -819,12 +838,7 @@ If you disable or do not configure this policy setting, by default, users who ar Also, see the "Enable user to patch elevated products" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -844,28 +858,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -882,7 +902,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. +This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. @@ -890,12 +910,7 @@ This policy setting is designed to reduce the amount of temporary disk space req This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -915,28 +930,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -953,7 +974,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. +This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. @@ -962,12 +983,7 @@ This policy setting is designed to reduce the amount of temporary disk space req This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -987,28 +1003,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1025,19 +1047,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off shared components. +This policy setting controls the ability to turn off shared components. If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1057,28 +1074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1095,7 +1118,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. +Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. @@ -1104,12 +1127,7 @@ To disable logging, delete all of the letters from the box. If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1130,28 +1148,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1168,7 +1192,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. +This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. @@ -1177,12 +1201,7 @@ If you enable this policy setting, only administrators or users with administrat If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1203,28 +1222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1241,7 +1266,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability for users or administrators to remove Windows Installer based updates. +This policy setting controls the ability for users or administrators to remove Windows Installer based updates. This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. @@ -1250,12 +1275,7 @@ If you enable this policy setting, updates cannot be removed from the computer b If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1276,28 +1296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1314,19 +1340,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. +This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1347,28 +1368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1385,19 +1412,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. +This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1418,28 +1440,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1456,7 +1484,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting causes the Windows Installer to enforce strict rules for component upgrades. +This policy setting causes the Windows Installer to enforce strict rules for component upgrades. If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: @@ -1469,12 +1497,7 @@ The new feature must be added as a new leaf feature to an existing feature tree. If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1494,28 +1517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1532,7 +1561,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls the percentage of disk space available to the Windows Installer baseline file cache. +This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. @@ -1545,12 +1574,7 @@ If you set the baseline cache to 100, the Windows Installer will use available f If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1570,28 +1594,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1608,19 +1638,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to prevent embedded UI. +This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no packages on the system can run embedded UI. If you disable or do not configure this policy setting, embedded UI is allowed to run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1640,28 +1665,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1678,7 +1709,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows Web-based programs to install software on the computer without notifying the user. +This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. @@ -1687,12 +1718,7 @@ If you enable this policy setting, the warning is suppressed and allows the inst This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1712,28 +1738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1750,7 +1782,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the order in which Windows Installer searches for installation files. +This policy setting specifies the order in which Windows Installer searches for installation files. If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). @@ -1763,12 +1795,7 @@ If you enable this policy setting, you can change the search order by specifying To exclude a file source, omit or delete the letter representing that source type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1788,28 +1815,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1826,7 +1859,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting saves copies of transform files in a secure location on the local computer. +This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. @@ -1838,15 +1871,8 @@ This policy setting is designed for enterprises to prevent unauthorized or malic If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. -If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1860,7 +1886,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md new file mode 100644 index 0000000000..ca757d87c6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ADMX_MsiFileRecovery +description: Policy CSP - ADMX_MsiFileRecovery +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MsiFileRecovery + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_MsiFileRecovery policies + +
      +
      + ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy +
      +
      + +
      + + +**ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states: + +- Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog-box when application reinstallation is required. +This is the default recovery behavior on Windows client. + +- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. + +- Troubleshooting Only: Detection and verification of file corruption will be performed without UI. +Recovery is not attempted. + +- If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. + +- If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. + +If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. + +> [!NOTE] +> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + + +ADMX Info: +- GP Friendly name: *Configure MSI Corrupted File Recovery behavior* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery* +- GP ADMX file name: *MsiFileRecovery.admx* + + + + +
      + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index f35134f108..1ed67abd42 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_nca -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -57,28 +61,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -95,7 +105,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. +This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: @@ -112,12 +122,7 @@ Each string can be one of the following types: You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -136,28 +141,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -174,15 +185,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. +This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -201,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -239,7 +251,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. +This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. @@ -248,12 +260,7 @@ Each entry consists of the text PING: followed by the IPv6 address of an IPsec t You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -272,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -310,17 +323,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -339,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -377,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. +This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. @@ -391,12 +405,7 @@ To restore the DirectAccess rules to the NRPT and resume normal DirectAccess fun If this setting is not configured, users do not have Connect or Disconnect options. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -415,28 +424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -453,16 +468,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not. +This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -481,28 +491,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -519,19 +535,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. +This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. If this setting is not configured, the entry for DirectAccess connectivity appears. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -550,28 +561,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -588,17 +605,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. +This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -611,8 +623,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 4981561468..9aff94fad5 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_NCSI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -54,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -92,15 +102,10 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. +This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -119,28 +124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -157,15 +168,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. +This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -184,28 +190,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -222,15 +234,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. +This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -249,28 +256,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -287,15 +300,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. +This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -317,28 +325,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -355,15 +369,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. +This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -382,28 +391,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -420,15 +435,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -447,28 +457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -485,15 +501,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. +This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -506,7 +517,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index f8c2d7401e..60cfff66e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Netlogon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -138,28 +142,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -176,7 +186,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. +This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. @@ -191,12 +201,7 @@ To specify this behavior in the DC Locator DNS SRV records, click Enabled, and t If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -215,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -253,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. +This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. @@ -264,12 +275,7 @@ If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC add If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -290,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -328,7 +340,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. +This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. @@ -337,12 +349,7 @@ If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -363,28 +370,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -401,7 +414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. @@ -412,12 +425,7 @@ If you disable this policy setting, Net Logon will not allow the negotiation and If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -438,28 +446,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -476,7 +490,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. +This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. @@ -487,12 +501,7 @@ If you disable this policy setting, computers to which this setting is applied w If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -513,28 +522,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -551,7 +566,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. @@ -560,12 +575,7 @@ If you disable this policy setting, the DCs will not register site-specific DC L If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -586,28 +596,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -624,7 +640,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. +This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. @@ -636,12 +652,7 @@ If you enable or do not configure this policy setting, the DC location algorithm If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -662,28 +673,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -700,7 +717,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. +This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. @@ -711,12 +728,7 @@ If you disable this policy setting, the DCs will not attempt to verify any passw If you do not configure this policy setting, it is not applied to any DCs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -737,28 +749,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -775,7 +793,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. +This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting is 10 minutes (10*60). @@ -789,12 +807,7 @@ If the value of this setting is less than the value specified in the NegativeCac > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -815,28 +828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -853,7 +872,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. +This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. @@ -869,12 +888,7 @@ If the value for this setting is smaller than the value specified for the Initia If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -895,28 +909,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -933,7 +953,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. +This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. @@ -941,12 +961,7 @@ The default value for this setting is to not quit retrying (0). The maximum valu > If the value for this setting is too small, a client will stop trying to find a DC too soon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -967,28 +982,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1005,15 +1026,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1034,28 +1050,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1072,7 +1094,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service. +This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -1083,12 +1105,7 @@ If you specify zero for this policy setting, the default behavior occurs as desc If you disable this policy setting or do not configure it, the default behavior occurs as described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1109,28 +1126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1147,7 +1170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. +This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. @@ -1182,12 +1205,7 @@ If you disable this policy setting, DCs configured to perform dynamic registrati If you do not configure this policy setting, DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1208,28 +1226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1246,7 +1270,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. +This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. @@ -1258,12 +1282,7 @@ To specify the Refresh Interval of the DC records, click Enabled, and then enter If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1284,28 +1303,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1322,7 +1347,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. +This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -1334,12 +1359,7 @@ The default local configuration is enabled. A reboot is not required for changes to this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1360,28 +1380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1398,18 +1424,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). +This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1430,28 +1451,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1468,19 +1495,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1501,28 +1523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1539,7 +1567,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. +This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. @@ -1550,12 +1578,7 @@ If you disable this policy setting, Force Rediscovery will be used by default fo If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1576,28 +1599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1614,7 +1643,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. +This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. @@ -1623,12 +1652,7 @@ To specify the sites covered by the GC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1649,28 +1673,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1687,7 +1717,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). +This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. @@ -1699,12 +1729,7 @@ If you enable this policy setting, this DC does not process incoming mailslot me If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1725,28 +1750,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1763,7 +1794,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. +This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. @@ -1772,12 +1803,7 @@ To specify the Priority in the DC Locator DNS SRV resource records, click Enable If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1798,28 +1824,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1836,7 +1868,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. @@ -1845,12 +1877,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1871,28 +1898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1909,19 +1942,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. +This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. If you disable or do not configure this policy setting, the default behavior occurs as indicated above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1942,28 +1970,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1980,7 +2014,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -1989,12 +2023,7 @@ To specify the sites covered by the DC Locator application directory partition-s If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2015,28 +2044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2053,7 +2088,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. @@ -2061,12 +2096,7 @@ The default value for this setting is 45 seconds. The maximum value for this set > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2087,28 +2117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2125,7 +2161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2139,12 +2175,7 @@ By default, the Netlogon share will grant shared read access to files on the sha If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2165,28 +2196,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2203,17 +2240,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2234,28 +2266,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2272,7 +2310,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). +This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. @@ -2286,12 +2324,7 @@ To specify this behavior, click Enabled and then enter a value. The range of val If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2312,28 +2345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2350,7 +2389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations: +This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. @@ -2363,12 +2402,7 @@ None of these operations are critical. 15 minutes is optimal in all but extreme To enable the setting, click Enabled, and then specify the interval in seconds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2389,28 +2423,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2427,7 +2467,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2436,12 +2476,7 @@ To specify the sites covered by the DC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2462,28 +2497,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2500,7 +2541,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong. +This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2509,12 +2550,7 @@ To specify the site name for this setting, click Enabled, and then enter the sit If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2535,28 +2571,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2573,7 +2615,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2587,12 +2629,7 @@ By default, the SYSVOL share will grant shared read access to files on the share If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2613,28 +2650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2651,7 +2694,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. @@ -2662,12 +2705,7 @@ If you disable this policy setting, Try Next Closest Site DC Location will not b If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2688,28 +2726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2726,7 +2770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. +This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. @@ -2735,12 +2779,7 @@ If you disable this policy setting, DCs will not register DC Locator DNS resourc If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2753,7 +2792,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 42d74dc6ad..e0e2c1610b 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_NetworkConnections -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -115,28 +119,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -153,7 +163,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. +This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. @@ -171,12 +181,7 @@ The Install and Uninstall buttons appear in the properties dialog box for connec > Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -233,7 +244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. +This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. @@ -247,12 +258,7 @@ If you disable this setting or do not configure it, the Advanced Settings item i > Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -271,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -309,7 +321,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings. +This policy setting determines whether users can configure advanced TCP/IP settings. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. @@ -328,12 +340,7 @@ Changing this setting from Enabled to Not Configured does not enable the Advance > To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -352,28 +359,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -390,7 +403,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. +This policy setting Determines whether administrators can enable and disable the components used by LAN connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. @@ -404,12 +417,7 @@ If you disable this setting or do not configure it, the Properties dialog box fo > Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -428,28 +436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -466,7 +480,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections. +This policy setting determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -486,12 +500,7 @@ When enabled, the "Prohibit deletion of remote access connections" setting takes > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -510,28 +519,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -548,7 +563,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections. +This policy setting determines whether users can delete remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. @@ -566,12 +581,7 @@ When enabled, this setting takes precedence over the "Ability to delete all user > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -590,28 +600,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -628,7 +644,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. +This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. @@ -639,12 +655,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -663,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -701,19 +718,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown. +This policy setting specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -732,28 +744,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -770,26 +788,20 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. +This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. -By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. +By default, Network Connections group settings in Windows do not have the ability to prohibit the use of features from Administrators. -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators. + +If you disable this setting or do not configure it, Windows settings that existed in Windows 2000 will not apply to administrators. -If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. -> [!NOTE] -> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -808,28 +820,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -846,7 +864,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. @@ -857,12 +875,7 @@ If you disable this policy setting, traffic between remote client computers runn If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -881,28 +894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -919,19 +938,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. +This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. If you enable this policy setting, this condition will not be reported as an error to the user. If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -950,28 +964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -988,7 +1008,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. +This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. @@ -1010,12 +1030,7 @@ The Local Area Connection Properties dialog box includes a list of the network c > Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1034,28 +1049,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1072,7 +1093,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections. +This policy setting determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. @@ -1086,12 +1107,7 @@ If you do not configure this setting, only Administrators and Network Configurat > Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1110,28 +1126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1148,7 +1170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection. +This policy setting determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. @@ -1164,12 +1186,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1188,28 +1205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1226,7 +1249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. +This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. @@ -1240,12 +1263,7 @@ If you disable this setting or do not configure it, the Make New Connection icon > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1264,28 +1282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1302,7 +1326,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. +This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. @@ -1318,12 +1342,7 @@ If you enable the "Windows Firewall: Protect all network connections" policy set If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1342,28 +1361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1380,7 +1405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. +This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1400,12 +1425,7 @@ If you do not configure this setting, only Administrators and Network Configurat > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1424,28 +1444,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1462,7 +1488,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. +This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. @@ -1474,7 +1500,7 @@ If you disable this setting or do not configure it, the Properties button is ena The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -> [NOTE] +> [!NOTE] > Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. > > When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. @@ -1482,12 +1508,7 @@ The Networking tab of the Remote Access Connection Properties dialog box include > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1506,28 +1527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1544,7 +1571,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections. +This policy setting determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). @@ -1553,12 +1580,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1577,28 +1599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1615,7 +1643,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections. +This policy setting determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1633,12 +1661,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1657,28 +1680,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1695,7 +1724,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections. +This policy setting determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1713,12 +1742,7 @@ When the "Ability to rename LAN connections or remote access connections availab This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1737,28 +1761,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1775,7 +1805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections. +This policy setting Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. @@ -1791,12 +1821,7 @@ If this setting is not configured, only Administrators and Network Configuration > This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1853,7 +1884,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection. +This policy setting determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. @@ -1867,12 +1898,7 @@ If you do not configure this setting, only Administrators and Network Configurat When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1891,28 +1917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1929,7 +1961,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections. +This policy setting determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1943,12 +1975,7 @@ If you disable this setting or do not configure it, the Rename option is enabled > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1967,28 +1994,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2005,13 +2038,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. +This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. @@ -2025,12 +2058,7 @@ Nonadministrators are already prohibited from configuring Internet Connection Sh Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2049,28 +2077,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2087,7 +2121,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection. +This policy setting determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. @@ -2098,12 +2132,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2122,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2160,19 +2195,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location. +This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's location without elevating. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2185,6 +2215,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index fa64224da3..27a8bd6ae6 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_OfflineFiles -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -171,28 +175,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -209,7 +219,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -218,12 +228,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -242,28 +247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -280,7 +291,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -292,12 +303,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -316,28 +322,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -354,7 +366,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -366,12 +378,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -390,28 +397,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -428,7 +441,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. +This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. @@ -437,12 +450,7 @@ You can also configure Background Sync for network shares that are in user selec If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -461,28 +469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -499,7 +513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. +This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. @@ -518,12 +532,7 @@ If you enable this setting and specify an auto-cached space limit greater than t This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -542,28 +551,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -580,7 +595,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -602,12 +617,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -626,28 +636,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -664,7 +680,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -686,12 +702,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -710,28 +721,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -748,7 +765,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. +Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -766,12 +783,7 @@ If you do not configure this setting, disk space for automatically cached files > To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -790,28 +802,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -828,7 +846,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. +This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. If you enable this policy setting, Offline Files is enabled and users cannot disable it. @@ -840,12 +858,7 @@ If you do not configure this policy setting, Offline Files is enabled on Windows > Changes to this policy setting do not take effect until the affected computer is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -864,28 +877,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -902,7 +921,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted. +This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. @@ -917,12 +936,7 @@ If you do not configure this policy setting, encryption of the Offline Files cac This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -941,28 +955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -979,7 +999,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -997,12 +1017,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1021,28 +1036,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1059,7 +1080,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1077,12 +1098,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1101,28 +1117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1139,19 +1161,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. +This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1170,28 +1187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1208,7 +1231,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline. +Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." @@ -1220,12 +1243,7 @@ To use this setting, type the file name extension in the "Extensions" box. To ty > To make changes to this setting effective, you must log off and log on again. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1244,28 +1262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1282,7 +1306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1304,12 +1328,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1328,28 +1347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1366,7 +1391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1388,12 +1413,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1412,28 +1432,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1450,7 +1476,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1462,12 +1488,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1486,28 +1507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1524,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1536,12 +1563,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1560,28 +1582,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1598,7 +1626,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1610,12 +1638,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1634,28 +1657,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1672,7 +1701,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1684,12 +1713,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1708,28 +1732,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1746,7 +1776,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1757,12 +1787,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1781,28 +1806,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1819,7 +1850,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1830,12 +1861,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1854,28 +1880,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1892,7 +1924,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1907,12 +1939,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1931,28 +1958,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1969,7 +2002,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1984,12 +2017,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2008,28 +2036,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2046,7 +2080,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2064,12 +2098,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2088,28 +2117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2126,7 +2161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2144,12 +2179,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2168,28 +2198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2206,7 +2242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. +This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. @@ -2217,12 +2253,7 @@ If you enable this policy setting, transparent caching is enabled and configurab If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2241,28 +2272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2279,7 +2316,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -2288,12 +2325,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2312,28 +2344,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2350,7 +2388,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off. +This policy setting deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. @@ -2360,12 +2398,7 @@ If you disable this setting or do not configure it, automatically and manually c > Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2384,28 +2417,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2422,19 +2461,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files. +This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. If you disable this policy setting, all administratively assigned folders are synchronized at logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2453,28 +2487,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2491,7 +2531,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2503,12 +2543,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2527,28 +2562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2565,7 +2606,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2577,12 +2618,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2601,28 +2637,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2639,19 +2681,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2670,28 +2707,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2708,19 +2751,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2739,28 +2777,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2777,19 +2821,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2808,28 +2847,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2846,19 +2891,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2877,28 +2917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2915,7 +2961,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. +This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. @@ -2932,12 +2978,7 @@ In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep us If you disable this policy setting, computers will not use the slow-link mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2956,28 +2997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2994,7 +3041,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. +This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. @@ -3006,12 +3053,6 @@ If this setting is disabled or not configured, the default threshold value of 64 > Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3030,28 +3071,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3068,7 +3115,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3084,12 +3131,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3108,28 +3150,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3146,7 +3194,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3162,12 +3210,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3186,28 +3229,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3224,7 +3273,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3240,12 +3289,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3266,28 +3310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3304,7 +3354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3320,12 +3370,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3344,28 +3389,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3382,7 +3433,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3392,12 +3443,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3416,28 +3462,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3454,7 +3506,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3464,12 +3516,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3488,28 +3535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3526,19 +3579,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. +This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3557,28 +3605,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3595,19 +3649,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3626,28 +3675,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3664,19 +3719,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3689,8 +3739,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md new file mode 100644 index 0000000000..1ec34c4edd --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -0,0 +1,539 @@ +--- +title: Policy CSP - ADMX_pca +description: Policy CSP - ADMX_pca +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_pca + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_pca policies + +
      +
      + ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy +
      +
      + ADMX_pca/DetectDeprecatedComponentFailuresPolicy +
      +
      + ADMX_pca/DetectInstallFailuresPolicy +
      +
      + ADMX_pca/DetectUndetectedInstallersPolicy +
      +
      + ADMX_pca/DetectUpdateFailuresPolicy +
      +
      + ADMX_pca/DisablePcaUIPolicy +
      +
      + ADMX_pca/DetectBlockedDriversPolicy +
      +
      + + +
      + + +**ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. + +- If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. +- If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. + +If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. + +> [!NOTE] +> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. + +The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + + + + + +ADMX Info: +- GP Friendly name: *Detect compatibility issues for applications and drivers* +- GP name: *DetectDeprecatedCOMComponentFailuresPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + +
      + +**ADMX_pca/DetectDeprecatedComponentFailuresPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. + +To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative +Templates\Windows Components\Application Compatibility. + + + + + +ADMX Info: +- GP Friendly name: *Detect application install failures* +- GP name: *DetectDeprecatedComponentFailuresPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + + +
      + +**ADMX_pca/DetectInstallFailuresPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + +ADMX Info: +- GP Friendly name: *Detect applications unable to launch installers under UAC* +- GP name: *DetectInstallFailuresPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + +
      + +**ADMX_pca/DetectUndetectedInstallersPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + +ADMX Info: +- GP Friendly name: *Detect application failures caused by deprecated Windows DLLs* +- GP name: *DetectUndetectedInstallersPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + +
      + +**ADMX_pca/DetectUpdateFailuresPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. +To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + +ADMX Info: +- GP Friendly name: *Detect application failures caused by deprecated COM objects* +- GP name: *DetectUpdateFailuresPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + +
      + +**ADMX_pca/DisablePcaUIPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. +To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + +ADMX Info: +- GP Friendly name: *Detect application installers that need to be run as administrator* +- GP name: *DisablePcaUIPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + +
      + +**ADMX_pca/DetectBlockedDriversPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. +To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + +ADMX Info: +- GP Friendly name: *Notify blocked drivers* +- GP name: *DetectBlockedDriversPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* +- GP ADMX file name: *pca.admx* + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 790bed78ed..e3e5caf8a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PeerToPeerCaching -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -59,28 +63,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -97,7 +107,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: +This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode @@ -115,12 +125,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -139,28 +144,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -177,7 +188,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. @@ -193,12 +204,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -217,28 +223,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -255,7 +267,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. @@ -277,12 +289,7 @@ Hosted cache clients must trust the server certificate that is issued to the hos > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -301,28 +308,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -339,7 +352,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. @@ -364,12 +377,7 @@ Select one of the following: - Disabled. With this selection, this policy is not applied to client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -388,28 +396,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -426,7 +440,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. +This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. @@ -447,12 +461,7 @@ In circumstances where this setting is enabled, you can also select and configur - Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -471,28 +480,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -509,7 +524,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. +This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. Policy configuration @@ -524,12 +539,7 @@ In circumstances where this policy setting is enabled, you can also select and c - Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,28 +558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -586,7 +602,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. +This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. @@ -608,12 +624,7 @@ In circumstances where this setting is enabled, you can also select and configur > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -632,28 +643,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -670,7 +687,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. +This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. @@ -689,12 +706,7 @@ In circumstances where this setting is enabled, you can also select and configur - Specify the age in days for which segments in the data cache are valid. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -713,28 +725,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -751,7 +769,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. +This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." @@ -773,12 +791,7 @@ Select from the following versions - Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -791,7 +804,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md new file mode 100644 index 0000000000..83f6c2e71a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -0,0 +1,181 @@ +--- +title: Policy CSP - ADMX_PenTraining +description: Policy CSP - ADMX_PenTraining +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PenTraining + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_PenTraining policies + +
      +
      + ADMX_PenTraining/PenTrainingOff_1 +
      +
      + ADMX_PenTraining/PenTrainingOff_2 +
      +
      + +
      + + +**ADMX_PenTraining/PenTrainingOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turns off Tablet PC Pen Training. + +- If you enable this policy setting, users cannot open Tablet PC Pen Training. + +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC Pen Training* +- GP name: *PenTrainingOff_1* +- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* +- GP ADMX file name: *PenTraining.admx* + + + +
      + + +**ADMX_PenTraining/PenTrainingOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turns off Tablet PC Pen Training. + +- If you enable this policy setting, users cannot open Tablet PC Pen Training. + +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC Pen Training* +- GP name: *PenTrainingOff_2* +- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* +- GP ADMX file name: *PenTraining.admx* + + + +
      + + + diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index cd77c701e3..c0586ccf19 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PerformanceDiagnostics -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics. +This policy setting determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. @@ -98,12 +108,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,28 +127,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -160,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -175,12 +186,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -199,28 +205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -237,7 +249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. +This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. @@ -252,12 +264,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -276,28 +283,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -314,7 +327,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -329,12 +342,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -347,8 +355,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 17087dd1d9..46c9adf221 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Power -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -108,28 +112,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -146,7 +156,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -155,12 +165,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -179,28 +184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -217,19 +228,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -248,28 +254,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -286,7 +298,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -297,12 +309,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -321,28 +328,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -359,19 +372,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -390,28 +398,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -428,19 +442,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -459,28 +468,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -497,19 +512,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +538,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -566,19 +582,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -597,28 +608,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -635,19 +652,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. +This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -666,28 +678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -704,7 +722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. If you enable this policy setting, select one of the following actions: @@ -716,12 +734,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -740,28 +753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -778,7 +797,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. If you enable this policy setting, select one of the following actions: @@ -790,12 +809,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -814,28 +828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -852,7 +872,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. @@ -861,12 +881,7 @@ To set the action that is triggered, see the "Critical Battery Notification Acti If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -885,28 +900,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -923,7 +944,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. +This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. @@ -934,12 +955,7 @@ The notification will only be shown if the "Low Battery Notification Action" pol If you disable or do not configure this policy setting, users can control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -958,28 +974,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -996,7 +1018,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. @@ -1005,12 +1027,7 @@ To set the action that is triggered, see the "Low Battery Notification Action" p If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1029,28 +1046,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1067,7 +1090,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -1076,12 +1099,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1100,28 +1118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1138,19 +1162,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1169,28 +1188,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1207,7 +1232,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -1218,12 +1243,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1242,28 +1262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1280,19 +1306,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1311,28 +1332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1349,19 +1376,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1380,28 +1402,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1418,7 +1446,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. +This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. @@ -1431,12 +1459,7 @@ If you enable this policy setting, the computer system safely shuts down and rem If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1455,28 +1478,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1493,7 +1522,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1502,12 +1531,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1526,28 +1550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1564,7 +1594,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1573,12 +1603,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1597,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1635,19 +1666,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. +This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. If you enable this policy setting, specify a power plan from the Active Power Plan list. If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1666,28 +1692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1704,19 +1736,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. +This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1735,28 +1762,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1773,19 +1806,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. +This policy setting allows you to turn off Power Throttling. If you enable this policy setting, Power Throttling will be turned off. If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1804,28 +1832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1842,19 +1876,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. +This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1867,7 +1896,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index dff726a8e8..d2d7e0d5b4 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PowerShellExecutionPolicy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -84,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules. +This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. @@ -96,12 +106,7 @@ To add modules and snap-ins to the policy setting list, click Show, and then typ > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -120,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -159,7 +170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. +This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. @@ -171,12 +182,7 @@ If you disable this policy setting, no scripts are allowed to run. > This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. +This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. @@ -246,12 +258,7 @@ If you use the OutputDirectory setting to enable transcript logging to a shared > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -270,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -309,7 +322,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. +This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. @@ -319,12 +332,7 @@ If this policy setting is disabled or not configured, this policy setting does n > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -337,7 +345,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md new file mode 100644 index 0000000000..64a89c8ccf --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -0,0 +1,646 @@ +--- +title: Policy CSP - ADMX_PreviousVersions +description: Policy CSP - ADMX_PreviousVersions +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PreviousVersions + +
      + + +## ADMX_PreviousVersions policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_PreviousVersions/DisableLocalPage_1 +
      +
      + ADMX_PreviousVersions/DisableLocalPage_2 +
      +
      + ADMX_PreviousVersions/DisableRemotePage_1 +
      +
      + ADMX_PreviousVersions/DisableRemotePage_2 +
      +
      + ADMX_PreviousVersions/HideBackupEntries_1 +
      +
      + ADMX_PreviousVersions/HideBackupEntries_2 +
      +
      + ADMX_PreviousVersions/DisableLocalRestore_1 +
      +
      + ADMX_PreviousVersions/DisableLocalRestore_2 +
      +
      + + +
      + + +**ADMX_PreviousVersions/DisableLocalPage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
      + + +**ADMX_PreviousVersions/DisableLocalPage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
      + + +**ADMX_PreviousVersions/DisableRemotePage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
      + + +**ADMX_PreviousVersions/DisableRemotePage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
      + + +**ADMX_PreviousVersions/HideBackupEntries_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
      + + +**ADMX_PreviousVersions/HideBackupEntries_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
      + + +**ADMX_PreviousVersions/DisableLocalRestore_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
      + +**ADMX_PreviousVersions/DisableLocalRestore_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 2376b4480e..fe3a0db756 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -112,28 +116,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -150,7 +160,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. +Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. If you enable this policy setting, Internet printing is activated on this server. @@ -164,12 +174,7 @@ Internet printing is an extension of Internet Information Services (IIS). To use Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -188,28 +193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -226,7 +237,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. +Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. @@ -240,12 +251,7 @@ If you disable this policy setting, then print drivers will be loaded within all > - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +270,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -302,7 +314,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. +By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. @@ -316,12 +328,7 @@ Also, see the "Activate Internet printing" setting in this setting folder and th Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -340,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -378,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers. +This policy setting allows you to manage where client computers search for Point and Printer drivers. If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. @@ -386,15 +399,9 @@ If you disable this policy setting, the client computer will only search the loc This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. -By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -413,28 +420,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -451,7 +464,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) +If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled, the network scan page will not be displayed. @@ -472,12 +485,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -496,28 +504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -534,7 +548,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers. +Allows users to use the Add Printer Wizard to search the network for shared printers. If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. @@ -544,12 +558,7 @@ If you disable this setting, the network printer browse page is removed from wit > This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -568,28 +577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -606,7 +621,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. +When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. This policy setting only effects printing to a Windows print server. @@ -624,12 +639,7 @@ If you do not enable this policy setting, the behavior is the same as disabling > In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -648,28 +658,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -686,17 +702,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. +Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -715,28 +726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -753,7 +770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard. +Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. @@ -764,12 +781,7 @@ This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -788,28 +800,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -826,24 +844,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. +Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. -If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. > [!NOTE] -> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. +> This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -862,28 +874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -900,7 +918,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management. +This preference allows you to change default printer management. If you enable this setting, Windows will not manage the default printer. @@ -909,12 +927,7 @@ If you disable this setting, Windows will manage the default printer. If you do not configure this setting, default printer management will not change. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -933,28 +946,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -971,19 +990,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. +Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1002,28 +1016,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1040,7 +1060,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers. +If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. @@ -1049,12 +1069,7 @@ This setting does not prevent users from running other programs to delete a prin If this policy is disabled, or not configured, users can delete printers using the methods described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1073,28 +1088,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1111,7 +1132,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) If this setting is disabled, the network scan page will not be displayed. @@ -1129,12 +1150,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1153,28 +1169,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1191,19 +1213,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1222,28 +1239,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1260,19 +1283,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1291,28 +1309,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1329,7 +1353,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1340,12 +1364,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1364,28 +1383,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1402,7 +1427,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1413,12 +1438,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1437,28 +1457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1475,7 +1501,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers. +If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. @@ -1486,12 +1512,7 @@ Type the location of the user's computer. When users search for printers, the sy If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1510,28 +1531,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1548,7 +1575,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers. +Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. @@ -1557,12 +1584,7 @@ If you enable this setting, users can browse for printers by location without kn If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1581,28 +1603,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1619,7 +1647,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. +This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. @@ -1631,12 +1659,7 @@ If you disable this policy setting, the print spooler will execute print drivers > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1655,28 +1678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1693,7 +1722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. +This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. @@ -1705,12 +1734,7 @@ If you disable or do not configure this policy setting, the print spooler uses t > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1729,28 +1753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1767,7 +1797,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin. +Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. @@ -1776,12 +1806,7 @@ If you enable this policy setting, these searches begin at the location you spec This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1800,28 +1825,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1838,7 +1869,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. +Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. @@ -1852,12 +1883,7 @@ If you do not configure this setting, shared printers are announced to browse ma > A client license is used each time a client computer announces a printer to a print browse master on the domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1876,28 +1902,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1914,7 +1946,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs. +This policy controls whether the print job name will be included in print event logs. If you disable or do not configure this policy setting, the print job name will not be included. @@ -1924,12 +1956,7 @@ If you enable this policy setting, the print job name will be included in new lo > This setting does not apply to Branch Office Direct Printing jobs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1948,28 +1975,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1986,7 +2019,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions. +This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. @@ -1995,12 +2028,7 @@ If you enable this policy setting, then all printer extensions will not be allow If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2013,7 +2041,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 55aeef679a..be91226a5a 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing2 -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -60,28 +64,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -98,7 +108,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. +Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. @@ -110,12 +120,7 @@ The default behavior is to automatically publish shared printers in Active Direc > This setting is ignored if the "Allow printers to be published" setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -134,28 +139,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -172,7 +183,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. +Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. @@ -184,12 +195,7 @@ If you disable this setting, the domain controller does not prune this computer' > You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -208,28 +214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -246,7 +258,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. +Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. @@ -265,12 +277,7 @@ You can enable this setting to change the default behavior. To use this setting, > If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -289,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -327,7 +340,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. +Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -341,12 +354,7 @@ If you do not configure or disable this setting the default values will be used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -365,28 +373,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -403,7 +417,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread. +Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. @@ -415,12 +429,7 @@ By default, the pruning thread runs at normal priority. However, you can adjust > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -439,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -477,7 +492,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. +Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -491,12 +506,7 @@ If you do not configure or disable this setting, the default values are used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -515,28 +525,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -553,7 +569,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. +Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. @@ -567,12 +583,7 @@ Note: This setting does not affect the logging of pruning events; the actual pru > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -591,28 +602,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -629,7 +646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections. +This policy controls whether the print spooler will accept client connections. When the policy is not configured or enabled, the spooler will always accept client connections. @@ -638,12 +655,7 @@ When the policy is disabled, the spooler will not accept client connections nor The spooler must be restarted for changes to this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -662,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -700,7 +718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. +Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. @@ -709,12 +727,7 @@ To enable this additional verification, enable this setting, and then select a v To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -727,6 +740,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 269ccd44c0..d6dcf488e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Programs -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -54,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -92,7 +102,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. +This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. @@ -103,12 +113,7 @@ This setting does not prevent users from using other tools and methods to change This setting does not prevent the Default Programs icon from appearing on the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -127,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -165,7 +176,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. +Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. @@ -179,12 +190,7 @@ If this setting is disabled or is not configured, the "Install a program from th > If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -203,28 +209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -241,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. +This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. @@ -250,12 +262,7 @@ If this setting is disabled or not configured, the "View installed updates" task This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -274,28 +281,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -312,19 +325,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. +This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. If this setting is disabled or not configured, "Programs and Features" will be available to all users. This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,28 +351,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -381,7 +395,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. +This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. @@ -392,12 +406,7 @@ When enabled, this setting takes precedence over the other settings in this fold This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -416,28 +425,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -454,19 +469,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. +This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -485,28 +495,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -523,7 +539,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. +This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. @@ -535,12 +551,7 @@ If this feature is disabled or is not configured, the "Get new programs from Win > If the "Hide Programs control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -553,8 +564,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md new file mode 100644 index 0000000000..2dd314e5ca --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -0,0 +1,103 @@ +--- +title: Policy CSP - ADMX_PushToInstall +description: Policy CSP - ADMX_PushToInstall +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PushToInstall + +
      + + +## ADMX_PushToInstall policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_PushToInstall/DisablePushToInstall +
      +
      + + +
      + + +**ADMX_PushToInstall/DisablePushToInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + + + + +ADMX Info: +- GP Friendly name: *Turn off Push To Install service* +- GP name: *DisablePushToInstall* +- GP path: *Windows Components\Push To Install* +- GP ADMX file name: *PushToInstall.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md new file mode 100644 index 0000000000..f1161f6d53 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_Radar +description: Policy CSP - ADMX_Radar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Radar + +
      + + +## ADMX_Radar policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_Radar/WdiScenarioExecutionPolicy +
      +
      + + +
      + + +**ADMX_Radar/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. + +These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* +- GP ADMX file name: *Radar.admx* + +
      + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 917a3bcdc5..d7e4ecc5bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Reliability -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -95,12 +105,7 @@ If you do not configure this policy setting, the Persistent System Timestamp is > This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -121,28 +126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -159,7 +170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -170,12 +181,7 @@ If you do not configure this policy setting, users can adjust this setting using Also see the "Configure Error Reporting" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -244,16 +256,9 @@ If you disable this policy setting, the System State Data feature is never activ If you do not configure this policy setting, the default behavior for the System State Data feature occurs. -> [!NOTE] -> By default, the System State Data feature is always enabled on Windows Server 2003. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -274,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -312,7 +323,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. @@ -328,12 +339,7 @@ If you do not configure this policy setting, the default behavior for the Shutdo > By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -346,8 +352,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 485d680915..a6af07f6c6 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemoteAssistance -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +43,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,7 +87,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. +This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. @@ -86,12 +96,7 @@ If you disable this policy setting, computers running this version and a previou If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -148,7 +159,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios. +This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. @@ -173,12 +184,7 @@ If you disable this policy setting, application-based settings are used. If you do not configure this policy setting, application-based settings are used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -190,7 +196,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are for upcoming release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index b839eb3de7..da757e7ffe 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemovableStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -129,28 +133,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -167,7 +177,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -177,12 +187,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -201,28 +206,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -239,7 +250,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -249,12 +260,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -273,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -311,19 +323,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class. +This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -342,28 +349,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -380,18 +393,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -448,19 +462,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -517,19 +532,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,28 +558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -586,19 +602,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -617,28 +628,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -655,19 +672,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -686,28 +698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -724,19 +742,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -755,28 +768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -793,19 +812,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -823,28 +837,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -861,19 +881,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +906,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -929,19 +950,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -959,28 +975,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -997,19 +1019,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1027,28 +1044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1065,19 +1088,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1095,28 +1113,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1133,18 +1157,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1162,28 +1181,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1200,19 +1225,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1230,28 +1250,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1268,18 +1294,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks. +This policy setting denies execute access to removable disks. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1297,28 +1318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1335,19 +1362,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1365,28 +1387,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1403,18 +1431,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1432,28 +1455,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1470,7 +1499,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks. +This policy setting denies write access to removable disks. If you enable this policy setting, write access is denied to this removable storage class. @@ -1480,12 +1509,7 @@ If you disable or do not configure this policy setting, write access is allowed > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1503,28 +1527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1541,7 +1571,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1550,12 +1580,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1573,28 +1598,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1611,7 +1642,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1620,12 +1651,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1643,28 +1669,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1681,19 +1713,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions. +This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1711,28 +1738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1749,19 +1782,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class. +This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1779,28 +1807,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1817,18 +1851,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1846,28 +1875,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1884,19 +1919,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1914,28 +1944,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1952,18 +1988,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1981,28 +2012,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2019,19 +2056,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2049,28 +2081,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2087,19 +2125,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2117,28 +2150,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2155,18 +2194,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2184,28 +2218,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2222,19 +2262,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2252,28 +2287,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2290,19 +2331,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2314,7 +2350,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index c999d05318..133c1cce4d 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RPC -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC runtime generates extended error information when an error occurs. +This policy setting controls whether the RPC runtime generates extended error information when an error occurs. Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). @@ -110,12 +120,6 @@ You must select an error response type in the drop-down box. > This policy setting will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -134,28 +138,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -172,7 +182,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. +This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. @@ -190,12 +200,7 @@ If you enable this policy setting, then: > This policy setting will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -215,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -253,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the idle connection timeout for RPC/HTTP connections. +This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. @@ -271,12 +282,7 @@ If you enable this policy setting, and the IIS server running the RPC HTTP proxy > This policy setting will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -295,28 +301,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -333,7 +345,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. +This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. If you disable this policy setting, the RPC runtime defaults to "Auto2" level. @@ -357,12 +369,6 @@ If you enable this policy setting, you can use the drop-down box to determine wh > This policy setting will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -375,8 +381,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index c28841c0c5..101d934f48 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Scripts -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -69,28 +73,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -107,19 +117,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. +This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -138,28 +143,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -176,7 +187,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run. +This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. @@ -189,12 +200,7 @@ An excessively long interval can delay the system and inconvenience users. Howev If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -213,28 +219,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -251,7 +263,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. @@ -281,12 +293,7 @@ Within GPO C: C.cmd, C.ps1 > - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -305,28 +312,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -343,23 +356,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. +This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. -Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. +Logon scripts are batch files of instructions that run when the user logs on. By default, Windows displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows. -If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier. +If you enable this setting, Windows does not display logon scripts written for Windows NT 4.0 and earlier. -If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier. +If you disable or do not configure this policy setting, Windows displays login scripts written for Windows NT 4.0 and earlier. Also, see the "Run Logon Scripts Visible" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -378,28 +386,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -416,7 +430,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run. +This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. @@ -425,12 +439,7 @@ If you enable this policy setting, the system displays each instruction in the l If you disable or do not configure this policy setting, the instructions are suppressed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -449,28 +458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -487,7 +502,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -496,12 +511,7 @@ If you disable or do not configure this policy setting, the logon scripts and Fi This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -520,28 +530,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -558,7 +574,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -567,12 +583,7 @@ If you disable or do not configure this policy setting, the logon scripts and Fi This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -591,28 +602,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -629,7 +646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run. +This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. @@ -638,12 +655,7 @@ If you enable this policy setting, the system displays each instruction in the l If you disable or do not configure this policy setting, the instructions are suppressed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -662,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -700,7 +718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run. +This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. @@ -709,12 +727,7 @@ If you enable this policy setting, the system displays each instruction in the s If you disable or do not configure this policy setting, the instructions are suppressed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -733,28 +746,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -771,7 +790,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously. +This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. @@ -783,12 +802,7 @@ If you disable or do not configure this policy setting, a startup cannot run unt > Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -807,28 +821,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -845,7 +865,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run. +This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. @@ -857,12 +877,7 @@ If you disable or do not configure this policy setting, the instructions are sup > Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -881,28 +896,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -920,7 +941,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. @@ -952,12 +973,7 @@ Within GPO C: C.cmd, C.ps1 This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -970,8 +986,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index e7a0beefc6..e0423f69bb 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_sdiageng -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,19 +90,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -111,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -149,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. +This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. @@ -158,12 +169,7 @@ If you disable this policy setting, users cannot access or run the troubleshooti Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -182,28 +188,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -220,19 +232,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. +This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -245,7 +252,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md new file mode 100644 index 0000000000..f19401826c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_sdiagschd +description: Policy CSP - ADMX_sdiagschd +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_sdiagschd + +
      + + +## ADMX_sdiagschd policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
      +
      + + +
      + + +**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. + +- If you enable this policy setting, you must choose an execution level. + +If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. + +If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scheduled Maintenance Behavior* +- GP name: *ScheduledDiagnosticsExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* +- GP ADMX file name: *sdiagschd.admx* + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 7c06bd2059..20f174f66a 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Securitycenter -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. + This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. @@ -84,21 +94,9 @@ If you enable this policy setting, Security Center is turned on for all users. If you disable this policy setting, Security Center is turned off for domain members. -**Windows XP SP2** - -In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers. - -**Windows Vista** - -In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -111,8 +109,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 47b29235a9..1287743ed4 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Sensors -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -48,28 +52,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -86,19 +96,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. +This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -117,28 +122,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -155,19 +166,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. +This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -186,28 +192,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -224,19 +236,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the location feature for this computer. +This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -255,28 +262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -293,19 +306,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. +This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -324,28 +332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -362,19 +376,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. +This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -387,7 +396,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md new file mode 100644 index 0000000000..2bdd21ec6f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -0,0 +1,341 @@ +--- +title: Policy CSP - ADMX_ServerManager +description: Policy CSP - ADMX_ServerManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ServerManager + +
      + + +## ADMX_ServerManager policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
      +
      + ADMX_ServerManager/ServerManagerAutoRefreshRate +
      +
      + ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
      +
      + ADMX_ServerManager/DoNotLaunchServerManager +
      +
      + + +
      + + +**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Server Manager automatically at logon* +- GP name: *Do_not_display_Manage_Your_Server_page* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
      + + + +**ADMX_ServerManager/ServerManagerAutoRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. + +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. + +- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. + +> [!NOTE] +> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + + + +ADMX Info: +- GP Friendly name: *Configure the refresh interval for Server Manager* +- GP name: *ServerManagerAutoRefreshRate* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
      + + +**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* +- GP name: *DoNotLaunchInitialConfigurationTasks* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
      + + +**ADMX_ServerManager/DoNotLaunchServerManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to turn off the automatic display of the Manage Your Server page. + +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. + +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. + +However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Manage Your Server page at logon* +- GP name: *DoNotLaunchServerManager* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index c537254102..0cb2e868e9 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -13,8 +13,7 @@ manager: dansimp --- # Policy CSP - ADMX_Servicing -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +
      @@ -36,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,21 +79,16 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. +This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. -If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. +If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon. The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”. If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +101,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 6f35209bce..692583b4eb 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_SettingSync -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -60,28 +64,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -98,7 +108,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. +Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "AppSync" group will not be synced. @@ -107,12 +117,7 @@ Use the option "Allow users to turn app syncing on" so that syncing it turned of If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -131,28 +136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -169,7 +180,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. +Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "app settings" group will not be synced. @@ -178,12 +189,7 @@ Use the option "Allow users to turn app settings syncing on" so that syncing it If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -202,28 +208,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -240,7 +252,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. +Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "passwords" group will not be synced. @@ -249,12 +261,7 @@ Use the option "Allow users to turn passwords syncing on" so that syncing it tur If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -273,28 +280,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -311,7 +324,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. +Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "desktop personalization" group will not be synced. @@ -320,12 +333,7 @@ Use the option "Allow users to turn desktop personalization syncing on" so that If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -344,28 +352,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -382,7 +396,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. +Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "personalize" group will not be synced. @@ -391,12 +405,7 @@ Use the option "Allow users to turn personalize syncing on" so that syncing it t If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -415,28 +424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -453,7 +468,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. +Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. @@ -462,12 +477,7 @@ Use the option "Allow users to turn syncing on" so that syncing it turned off by If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -486,28 +496,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -524,7 +540,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. +Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "Start layout" group will not be synced. @@ -533,12 +549,7 @@ Use the option "Allow users to turn start syncing on" so that syncing is turned If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -557,28 +568,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -595,19 +612,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. +Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. If you do not set or disable this setting, syncing on metered connections is configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -626,28 +638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -664,7 +682,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. +Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "Other Windows settings" group will not be synced. @@ -673,12 +691,7 @@ Use the option "Allow users to turn other Windows settings syncing on" so that s If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -691,7 +704,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index cc867fb098..19a24d2480 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_SharedFolders -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -38,28 +42,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -76,7 +86,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). +This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . @@ -86,12 +96,7 @@ If you disable this policy setting, users cannot publish DFS roots in AD DS and > The default is to allow shared folders to be published when this setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -111,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -149,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). +This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. @@ -159,12 +170,7 @@ If you disable this policy setting, users cannot publish shared folders in AD DS > The default is to allow shared folders to be published when this setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,8 +183,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index b7e9e8ddaa..27536d9679 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Sharing -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -35,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -73,19 +83,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -98,7 +103,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index 7d8f85894f..1214046238 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -7,29 +7,34 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/21/2020 +ms.date: 09/18/2020 ms.reviewer: manager: dansimp --- # Policy CSP - ADMX_ShellCommandPromptRegEditTools -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      ## ADMX_ShellCommandPromptRegEditTools policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      - ADMX_ShellCommandPromptRegEditTools/DisableCMD + ADMX_ShellCommandPromptRegEditTools/DisallowApps
      ADMX_ShellCommandPromptRegEditTools/DisableRegedit
      - ADMX_ShellCommandPromptRegEditTools/DisallowApps + ADMX_ShellCommandPromptRegEditTools/DisableCMD
      ADMX_ShellCommandPromptRegEditTools/RestrictApps @@ -40,33 +45,39 @@ manager: dansimp
      -**ADMX_ShellCommandPromptRegEditTools/DisableCMD** +**ADMX_ShellCommandPromptRegEditTools/DisallowApps** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,62 +94,67 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. +This policy setting prevents users from running the interactive command prompt, Cmd.exe. + +This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. -If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. - -If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. +- If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. . +- If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. + > [!NOTE] > Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: - GP Friendly name: *Prevent access to the command prompt* -- GP name: *DisableCMD* +- GP name: *DisallowApps* - GP path: *System* -- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx* +- GP ADMX file name: *ShellCommandPromptRegEditTools.admx*
      + **ADMX_ShellCommandPromptRegEditTools/DisableRegedit** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -155,62 +171,62 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe. +This policy setting disables the Windows registry editor Regedit.exe. -If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. +- If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. -If you disable this policy setting or do not configure it, users can run Regedit.exe normally. +- If you disable this policy setting or do not configure it, users can run Regedit.exe normally. To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: - GP Friendly name: *Prevent access to registry editing tools* - GP name: *DisableRegedit* -- GP path: *System* -- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx* +- GP path: *System\Server Manager* +- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* -
      -**ADMX_ShellCommandPromptRegEditTools/DisallowApps** +**ADMX_ShellCommandPromptRegEditTools/DisableCMD** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -227,32 +243,27 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting. +This policy setting limits the Windows programs that users have permission to run on the computer. -If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. +- If you enable this policy setting, users can only run programs that you add to the list of allowed applications. -If you disable this policy setting or do not configure it, users can run any programs. +- If you disable this policy setting or do not configure it, users can run all applications. This policy setting only prevents users from running programs that are started by the File Explorer process. -This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. +It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -> [!NOTE] -> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. -> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). +Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. + +To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP Friendly name: *Don't run specified Windows applications* -- GP name: *DisallowApps* +- GP Friendly name: *Run only specified Windows applications* +- GP name: *DisableCMD* - GP path: *System* -- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx* +- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* @@ -264,28 +275,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -302,39 +319,31 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer. +This policy setting prevents Windows from running the programs you specify in this policy setting. -If you enable this policy setting, users can only run programs that you add to the list of allowed applications. +- If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. -If you disable this policy setting or do not configure it, users can run all applications. +- If you disable this policy setting or do not configure it, users can run any programs. -This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. +This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. + +Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. + +To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). -> [!NOTE] -> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. -> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP Friendly name: *Run only specified Windows applications* +- GP Friendly name: *Don't run specified Windows applications* - GP name: *RestrictApps* - GP path: *System* -- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx* +- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* -
      - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md deleted file mode 100644 index 72c1b9ab34..0000000000 --- a/windows/client-management/mdm/policy-csp-admx-skydrive.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Policy CSP - ADMX_SkyDrive -description: Policy CSP - ADMX_SkyDrive -ms.author: dansimp -ms.localizationpriority: medium -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 12/08/2020 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - ADMX_SkyDrive -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      - - -## ADMX_SkyDrive policies - -
      -
      - ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn -
      -
      - - -
      - - -**ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Available in the latest Windows 10 Insider Preview Build. Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer. - -If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically. - -If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows. - -If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Prevent OneDrive from generating network traffic until the user signs in to OneDrive* -- GP name: *PreventNetworkTrafficPreUserSignIn* -- GP path: *Windows Components\OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -
      - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - - - diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 3b4ac39e4f..e2c62d296b 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Smartcard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -81,28 +85,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -119,7 +129,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. +This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. @@ -132,12 +142,7 @@ If you enable this policy setting, certificates with the following attributes ca If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -156,28 +161,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -194,7 +205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). +This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. @@ -203,12 +214,7 @@ If you enable this policy setting, the integrated unblock feature will be availa If you disable or do not configure this policy setting then the integrated unblock feature will not be available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -227,28 +233,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -265,19 +277,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. +This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -296,28 +303,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -334,7 +347,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. +This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. @@ -343,12 +356,7 @@ If you enable this policy setting certificates will be listed on the logon scree If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -367,28 +375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -405,19 +419,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. +This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -436,28 +445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -474,15 +489,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. +This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -501,28 +511,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -539,7 +555,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. +This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. @@ -549,12 +565,7 @@ If you enable or do not configure this policy setting then root certificate prop If you disable this policy setting then root certificates will not be propagated from the smart card. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -573,28 +584,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -611,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager. +This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. @@ -621,12 +638,7 @@ If you disable or do not configure this policy setting, plaintext PINs can be re > Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -645,28 +657,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -683,7 +701,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. +This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. @@ -693,12 +711,7 @@ If you disable or do not configure this policy setting, ECC certificates on a sm > This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. > If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -717,28 +730,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -755,7 +774,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed. +This policy setting lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). @@ -769,12 +788,7 @@ If you enable or do not configure this policy setting, filtering will take place If you disable this policy setting, no filtering will take place. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -793,28 +807,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -831,7 +851,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon. +This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. @@ -840,12 +860,7 @@ If you enable this setting, then Windows will attempt to read all certificates f If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -864,28 +879,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -902,7 +923,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked. +This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. @@ -912,12 +933,7 @@ If you enable this policy setting, the specified message will be displayed to th If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -936,28 +952,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -974,7 +996,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. +This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. @@ -983,12 +1005,7 @@ If you enable this policy setting or do not configure this setting, then the sub If you disable, the subject name will be displayed as it appears in the certificate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1007,28 +1024,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1045,7 +1068,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled. +This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. @@ -1055,12 +1078,7 @@ If you disable this policy setting, Smart Card Plug and Play will be disabled an > This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1079,28 +1097,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1117,7 +1141,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. +This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. @@ -1127,12 +1151,7 @@ If you disable this policy setting, a confirmation message will not be displayed > This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1151,28 +1170,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1189,19 +1214,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. +This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1214,8 +1234,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 62a6c6c8e5..137707b5b7 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Snmp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. +This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. @@ -99,12 +109,7 @@ Best practice: For security purposes, it is recommended to restrict the HKLM\SOF Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -123,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -161,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. +This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -179,12 +190,7 @@ Best practice: For security purposes, it is recommended to restrict the HKLM\SOF Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -203,28 +209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -241,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. +This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -257,12 +269,7 @@ If you disable or do not configure this policy setting, the SNMP service takes t Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -275,8 +282,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md new file mode 100644 index 0000000000..8e63a59f12 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -0,0 +1,181 @@ +--- +title: Policy CSP - ADMX_SoundRec +description: Policy CSP - ADMX_SoundRec +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SoundRec + +
      + + +## ADMX_SoundRec policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
      +
      + ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
      +
      + + +
      + + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_1* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
      + + + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_2* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
      + + + diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md new file mode 100644 index 0000000000..ade211ea40 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -0,0 +1,180 @@ +--- +title: Policy CSP - ADMX_srmfci +description: Policy CSP - ADMX_srmfci +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_srmfci + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_srmfci policies + +
      +
      + ADMX_srmfci/EnableShellAccessCheck +
      +
      + ADMX_srmfci/AccessDeniedConfiguration +
      +
      + + +
      + + +**ADMX_srmfci/EnableShellAccessCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types. + + + + + +ADMX Info: +- GP Friendly name: *Enable access-denied assistance on client for all file types* +- GP name: *EnableShellAccessCheck* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
      + + +**ADMX_srmfci/AccessDeniedConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. + +If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. + +If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + + + + +ADMX Info: +- GP Friendly name: *Customize message for Access Denied errors* +- GP name: *AccessDeniedConfiguration* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index e108cbcee6..3fbbcf654d 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_StartMenu -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -234,28 +238,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -272,19 +282,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. +If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -303,28 +308,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -341,7 +352,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Clear history of recently opened documents on exit. +Clear history of recently opened documents on exit. If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. @@ -359,12 +370,7 @@ This policy setting also does not hide document shortcuts displayed in the Open This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -383,28 +389,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -421,17 +433,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. +If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -450,28 +457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -488,19 +501,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. +If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -519,28 +527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -557,19 +571,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows desktop apps to be listed first in the Apps view in Start. +This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -588,28 +597,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -626,7 +641,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. +This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. @@ -635,12 +650,7 @@ If you enable this policy setting, searching from the Apps view will only search If you disable or don’t configure this policy setting, the user can configure this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -659,28 +669,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -697,7 +713,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu. +This policy only applies to the classic version of the start menu and does not affect the new style start menu. Adds the "Log Off ``" item to the Start menu and prevents users from removing it. @@ -707,17 +723,13 @@ If you disable this setting or do not configure it, users can use the Display Lo This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. -Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. +> [!NOTE] +> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -736,28 +748,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -774,7 +792,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to go to the desktop instead of the Start screen when they sign in. +This policy setting allows users to go to the desktop instead of the Start screen when they sign in. If you enable this policy setting, users will always go to the desktop when they sign in. @@ -783,12 +801,7 @@ If you disable this policy setting, users will always go to the Start screen whe If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -807,28 +820,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -845,7 +864,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Displays Start menu shortcuts to partially installed programs in gray text. +Displays Start menu shortcuts to partially installed programs in gray text. This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. @@ -857,12 +876,7 @@ If you disable this setting or do not configure it, all Start menu shortcuts app > Enabling this setting can make the Start menu slow to open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -881,28 +895,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -919,19 +939,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. +This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -950,28 +965,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -988,7 +1009,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables personalized menus. +Disables personalized menus. Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. @@ -1000,12 +1021,7 @@ If you enable this setting, the system does not personalize menus. All menu item To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1024,28 +1040,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1062,7 +1084,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar, which is used to switch between running applications. +This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. @@ -1074,12 +1096,7 @@ If you disable this setting or do not configure it, the user can configure the t > Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1098,28 +1115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1136,19 +1159,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. +This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously. Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1167,28 +1185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1205,7 +1229,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area, also called the "system tray." +This setting affects the notification area, also called the "system tray." The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." @@ -1216,12 +1240,7 @@ If you disable this setting, the system notification area will always collapse n If you do not configure it, the user can choose if they want notifications collapsed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1240,28 +1259,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1278,7 +1303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides pop-up text on the Start menu and in the notification area. +Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. @@ -1287,12 +1312,7 @@ If you enable this setting, some of this pop-up text is not displayed. The pop-u If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1311,28 +1331,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1349,19 +1375,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from changing their Start screen layout. +This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1380,28 +1401,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1418,7 +1445,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. +This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. @@ -1428,12 +1455,7 @@ If you disable or do not configure this policy setting, the Power button and the > Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1452,28 +1474,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1490,19 +1518,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes items in the All Users profile from the Programs menu on the Start menu. +Removes items in the All Users profile from the Programs menu on the Start menu. By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1521,28 +1544,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1559,7 +1588,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding the Favorites menu to the Start menu or classic Start menu. +Prevents users from adding the Favorites menu to the Start menu or classic Start menu. If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. @@ -1573,12 +1602,7 @@ If you disable or do not configure this setting, the Display Favorite item is av > This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1597,28 +1621,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1635,11 +1665,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu. +This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu. If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. -Note: Enabling this policy setting also prevents the user from using the F3 key. +> [!NOTE] +> Enabling this policy setting also prevents the user from using the F3 key. In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. @@ -1648,12 +1679,7 @@ This policy setting affects the specified user interface elements only. It does If you disable or do not configure this policy setting, the Search link is available from the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1672,28 +1698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1710,17 +1742,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the Games folder. +If you enable this policy the start menu will not show a link to the Games folder. If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1739,28 +1766,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1777,7 +1810,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Help command from the Start menu. +This policy setting allows you to remove the Help command from the Start menu. If you enable this policy setting, the Help command is removed from the Start menu. @@ -1786,12 +1819,7 @@ If you disable or do not configure this policy setting, the Help command is avai This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1810,28 +1838,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1848,23 +1882,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off user tracking. +This policy setting allows you to turn off user tracking. If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. -Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". +Also, see these related policy settings: "Remove frequent programs list from the Start Menu" and "Turn off personalized menus". This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1883,28 +1912,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1922,7 +1957,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. +If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. @@ -1933,12 +1968,7 @@ Selecting "Remove and disable setting" will remove the all apps list from Start If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1957,28 +1987,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1995,7 +2031,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Network Connections from the Start Menu. +This policy setting allows you to remove Network Connections from the Start Menu. If you enable this policy setting, users are prevented from running Network Connections. @@ -2008,12 +2044,7 @@ If you disable or do not configure this policy setting, Network Connections is a Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2032,28 +2063,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2070,19 +2107,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. +If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2101,28 +2133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2139,7 +2177,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. +Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. @@ -2157,12 +2195,7 @@ If the setting is not configured, users can turn the Recent Items menu on and of This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2181,28 +2214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2219,7 +2258,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. +This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. @@ -2231,12 +2270,7 @@ If you disable or do not configure this policy setting, by default, when the sys Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2255,28 +2289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2293,7 +2333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. +This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. @@ -2304,12 +2344,7 @@ If you disable or do not configure this policy setting, by default, when the sys Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2328,28 +2363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2366,7 +2407,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. +Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If you enable this setting, the following changes occur: @@ -2392,12 +2433,7 @@ If you disable or do not configure this setting, users will be able to access th > It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2416,28 +2452,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2454,7 +2496,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Default Programs link from the Start menu. +This policy setting allows you to remove the Default Programs link from the Start menu. If you enable this policy setting, the Default Programs link is removed from the Start menu. @@ -2466,12 +2508,7 @@ If you disable or do not configure this policy setting, the Default Programs lin > This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2490,28 +2527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2528,7 +2571,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Documents icon from the Start menu and its submenus. +This policy setting allows you to remove the Documents icon from the Start menu and its submenus. If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. @@ -2540,12 +2583,7 @@ If you disable or do not configure this policy setting, he Documents icon is ava Also, see the "Remove Documents icon on the desktop" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2564,28 +2602,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2602,19 +2646,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Music icon from Start Menu. +This policy setting allows you to remove the Music icon from Start Menu. If you enable this policy setting, the Music icon is no longer available from Start Menu. If you disable or do not configure this policy setting, the Music icon is available from Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2633,28 +2672,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2671,19 +2716,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build.This policy setting allows you to remove the Network icon from Start Menu. +This policy setting allows you to remove the Network icon from Start Menu. If you enable this policy setting, the Network icon is no longer available from Start Menu. If you disable or do not configure this policy setting, the Network icon is available from Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2702,28 +2742,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2740,19 +2786,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Pictures icon from Start Menu. +This policy setting allows you to remove the Pictures icon from Start Menu. If you enable this policy setting, the Pictures icon is no longer available from Start Menu. If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2771,28 +2812,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2809,17 +2856,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for communications. +If you enable this policy the start menu search box will not search for communications. If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2838,28 +2880,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2876,17 +2924,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. +If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2905,28 +2948,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2943,17 +2992,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. +If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2972,28 +3016,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3010,17 +3060,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files. +If you enable this policy setting the Start menu search box will not search for files. If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3039,28 +3084,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3077,17 +3128,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for internet history or favorites. +If you enable this policy the start menu search box will not search for internet history or favorites. If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3106,28 +3152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3144,17 +3196,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. +If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3173,28 +3220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3211,7 +3264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove programs on Settings menu. +This policy setting allows you to remove programs on Settings menu. If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. @@ -3222,12 +3275,7 @@ If you disable or do not configure this policy setting, the Control Panel, Print Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3246,28 +3294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3284,7 +3338,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. +This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. @@ -3293,12 +3347,7 @@ If the user right-clicks the taskbar and then clicks Properties, a message appea If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3317,28 +3366,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3355,19 +3410,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Downloads link from the Start Menu. +This policy setting allows you to remove the Downloads link from the Start Menu. If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3386,28 +3436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3424,17 +3480,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. +If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3453,28 +3504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3491,19 +3548,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Recorded TV link from the Start Menu. +This policy setting allows you to remove the Recorded TV link from the Start Menu. If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3522,28 +3574,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3560,7 +3618,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. +Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. @@ -3571,12 +3629,7 @@ If you enable this setting, no folders appear on the top section of the Start me If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3595,28 +3648,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3633,19 +3692,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Videos link from the Start Menu. +This policy setting allows you to remove the Videos link from the Start Menu. If you enable this policy setting, the Start Menu does not show a link to the Videos library. If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3664,28 +3718,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3702,23 +3762,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the presentation of the Start menu. +This setting affects the presentation of the Start menu. -The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. +The classic Start menu in Windows allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. -If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. +If you enable this setting, the Start menu displays the classic Start menu and displays the standard desktop icons. If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. If you do not configure this setting, the default is the new style, and the user can change the view. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3737,28 +3792,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3775,19 +3836,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the clock in the system notification area from being displayed. +Prevents the clock in the system notification area from being displayed. If you enable this setting, the clock will not be displayed in the system notification area. If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3806,28 +3862,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3844,7 +3906,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar buttons used to switch between running programs. +This setting affects the taskbar buttons used to switch between running programs. Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. @@ -3853,12 +3915,7 @@ If you enable this setting, it prevents the taskbar from grouping items that sha If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3877,28 +3934,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3915,7 +3978,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar. +This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. @@ -3924,12 +3987,7 @@ If this setting is enabled, the taskbar does not display any custom toolbars, an If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3948,28 +4006,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3986,7 +4050,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to the context menus for the taskbar. +This policy setting allows you to remove access to the context menus for the taskbar. If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. @@ -3995,12 +4059,7 @@ If you disable or do not configure this policy setting, the context menus for th This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4019,28 +4078,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4057,7 +4122,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area (previously called the "system tray") on the taskbar. +This setting affects the notification area (previously called the "system tray") on the taskbar. The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. @@ -4069,12 +4134,7 @@ If this setting is disabled or is not configured, the notification area is shown > Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4093,28 +4153,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4131,17 +4197,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, users cannot uninstall apps from Start. +If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4160,28 +4221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4198,17 +4265,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the user's storage folder. +If you enable this policy the start menu will not show a link to the user's storage folder. If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4227,28 +4289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4265,21 +4333,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. +This policy setting allows you to remove the user name label from the Start Menu. -If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. +If you enable this policy setting, the user name label is removed from the Start Menu. -To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. - -If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. +If you disable or do not configure this policy setting, the user name label appears on the Start Menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4298,28 +4359,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4336,7 +4403,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove links and access to Windows Update. +This policy setting allows you to remove links and access to Windows Update. If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. @@ -4349,12 +4416,7 @@ If you disable or do not configure this policy setting, the Windows Update hyper Also, see the "Hide the "Add programs from Microsoft" option" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4373,28 +4435,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4411,7 +4479,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Set the default action of the power button on the Start menu. +Set the default action of the power button on the Start menu. If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. @@ -4420,12 +4488,7 @@ If you set the button to either Sleep or Hibernate, and that state is not suppor If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4444,28 +4507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4482,7 +4551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. +This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. @@ -4491,12 +4560,7 @@ If you disable this policy setting, the QuickLaunch bar will be hidden and canno If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4515,28 +4579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4553,17 +4623,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. +If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4582,28 +4647,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4620,19 +4691,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Apps view to be opened by default when the user goes to Start. +This policy setting allows the Apps view to be opened by default when the user goes to Start. If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4651,28 +4717,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4689,7 +4761,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting shows or hides the "Run as different user" command on the Start application bar. +This policy setting shows or hides the "Run as different user" command on the Start application bar. If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. @@ -4699,12 +4771,7 @@ If you disable this setting or do not configure it, users cannot access the "Run > This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4723,28 +4790,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4761,19 +4834,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Run command is added to the Start menu. +If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4792,28 +4860,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4830,19 +4904,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. -If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. - -If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4861,28 +4926,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4899,7 +4970,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. +This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. @@ -4907,17 +4978,13 @@ If you disable or do not configure this policy setting, users can use the Displa This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. -Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. +> [!TIP] +> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4936,28 +5003,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4975,15 +5048,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. +This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4996,7 +5064,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file + + diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 00d40074f3..e15430f48b 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_SystemRestore -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection. +Allows you to disable System Restore configuration through System Protection. This policy setting allows you to turn off System Restore configuration through System Protection. @@ -87,12 +97,7 @@ If you disable or do not configure this policy setting, users can change the Sys Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -105,8 +110,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md new file mode 100644 index 0000000000..53648b8f57 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_TabletShell +description: Policy CSP - ADMX_TabletShell +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TabletShell + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_TabletShell policies + +
      +
      + ADMX_TabletShell/DisableInkball_1 +
      +
      + ADMX_TabletShell/DisableNoteWriterPrinting_1 +
      +
      + + +
      + + +**ADMX_TabletShell/DisableInkball_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Prevents start of InkBall game. + +If you enable this policy, the InkBall game will not run. + +If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run. + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Inkball to run* +- GP name: *DisableInkball_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + + +
      + + +**ADMX_TabletShell/DisableNoteWriterPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Prevents printing to Journal Note Writer. + +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow printing to Journal Note Writer* +- GP name: *DisableNoteWriterPrinting_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + +
      + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 77fdd56a9d..ae6556aadf 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -13,11 +13,16 @@ manager: dansimp --- # Policy CSP - ADMX_Taskbar -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ## ADMX_Taskbar policies @@ -99,28 +104,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -137,7 +148,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting removes Notifications and Action Center from the notification area on the taskbar. +This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. @@ -148,12 +159,6 @@ If you disable or do not configure this policy setting, Notification and Securit A reboot is required for this policy setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -172,28 +177,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -210,7 +221,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy disables the functionality that converts balloons to toast notifications. +This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. @@ -221,12 +232,6 @@ If you disable or don’t configure this policy setting, all notifications will A reboot is required for this policy setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -245,28 +250,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -283,19 +294,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Security and Maintenance from the system control area. +This policy setting allows you to remove Security and Maintenance from the system control area. If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -314,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -352,19 +363,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the networking icon from the system control area. +This policy setting allows you to remove the networking icon from the system control area. If you enable this policy setting, the networking icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -383,28 +388,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -421,19 +432,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the battery meter from the system control area. +This policy setting allows you to remove the battery meter from the system control area. If you enable this policy setting, the battery meter is not displayed in the system notification area. If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -452,28 +457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -490,19 +501,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the volume control icon from the system control area. +This policy setting allows you to remove the volume control icon from the system control area. If you enable this policy setting, the volume control icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -521,28 +526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -559,19 +570,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off feature advertisement balloon notifications. +This policy setting allows you to turn off feature advertisement balloon notifications. If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. If you disable do not configure this policy setting, feature advertisement balloons are shown. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -590,28 +595,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -628,19 +639,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning the Store app to the Taskbar. +This policy setting allows you to control pinning the Store app to the Taskbar. If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -659,28 +664,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -697,19 +708,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning items in Jump Lists. +This policy setting allows you to control pinning items in Jump Lists. If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -728,28 +733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -766,19 +777,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning programs to the Taskbar. +This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -789,7 +794,6 @@ ADMX Info: -
      @@ -799,28 +803,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -837,7 +847,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. +This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. @@ -847,12 +857,6 @@ If you disable or do not configure this policy setting, all files that the user -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -863,7 +867,6 @@ ADMX Info: -
      @@ -873,28 +876,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -911,19 +920,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. +This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -934,7 +937,6 @@ ADMX Info: -
      @@ -944,28 +946,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -982,7 +990,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to see Windows Store apps on the taskbar. +This policy setting allows users to see Windows Store apps on the taskbar. If you enable this policy setting, users will see Windows Store apps on the taskbar. @@ -991,12 +999,6 @@ If you disable this policy setting, users won’t see Windows Store apps on the If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1017,28 +1019,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1055,19 +1063,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to lock all taskbar settings. +This policy setting allows you to lock all taskbar settings. If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1088,28 +1090,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1126,20 +1134,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from adding or removing toolbars. +This policy setting allows you to prevent users from adding or removing toolbars. If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Prevent users from adding or removing toolbars* @@ -1149,7 +1150,7 @@ ADMX Info: -
      +>
      @@ -1159,28 +1160,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1197,20 +1204,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from rearranging toolbars. +This policy setting allows you to prevent users from rearranging toolbars. If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Prevent users from rearranging toolbars* @@ -1220,7 +1220,6 @@ ADMX Info: -
      @@ -1230,28 +1229,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1268,19 +1273,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent taskbars from being displayed on more than one monitor. +This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. If you disable or do not configure this policy setting, users can show taskbars on more than one display. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1301,28 +1300,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1339,19 +1344,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off all notification balloons. +This policy setting allows you to turn off all notification balloons. If you enable this policy setting, no notification balloons are shown to the user. If you disable or do not configure this policy setting, notification balloons are shown to the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1364,36 +1363,40 @@ ADMX Info:
      -
      - **ADMX_Taskbar/TaskbarNoPinnedList** - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1410,19 +1413,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove pinned programs from the taskbar. +This policy setting allows you to remove pinned programs from the taskbar. If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1433,7 +1430,6 @@ ADMX Info: -
      @@ -1443,28 +1439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1481,19 +1483,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from moving taskbar to another screen dock location. +This policy setting allows you to prevent users from moving taskbar to another screen dock location. If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1506,7 +1503,6 @@ ADMX Info:
      -
      **ADMX_Taskbar/TaskbarNoResize** @@ -1514,28 +1510,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1552,19 +1554,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from resizing the taskbar. +This policy setting allows you to prevent users from resizing the taskbar. If you enable this policy setting, users are not be able to resize their taskbar. If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1575,7 +1571,6 @@ ADMX Info: -
      @@ -1585,28 +1580,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1623,19 +1624,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off taskbar thumbnails. +This policy setting allows you to turn off taskbar thumbnails. If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1648,7 +1643,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +p diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 716a9c9f64..ef4dcccadd 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -13,11 +13,16 @@ manager: dansimp --- # Policy CSP - ADMX_tcpip -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ## ADMX_tcpip policies @@ -72,28 +77,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -110,19 +121,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. +This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify a relay name for a 6to4 host. If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -141,28 +146,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -179,19 +190,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. +This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. If you disable or do not configure this policy setting, the local host setting is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -210,28 +215,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -248,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. +This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not configure this policy setting, the local host setting is used. @@ -261,12 +272,6 @@ Policy Enabled State: If a global IPv4 address is present, the host will have a Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -285,28 +290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -323,7 +334,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. +This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. @@ -336,12 +347,6 @@ Policy Enabled State: The IP-HTTPS interface is always present, even if the host Policy Disabled State: No IP-HTTPS interfaces are present on the host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -360,28 +365,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -398,19 +409,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. +This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -429,28 +434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -467,19 +478,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. +This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. If you disable or do not configure this policy setting, the local host setting is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -498,28 +503,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -536,7 +547,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. +This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. If you disable or do not configure this policy setting, the local host setting is used. @@ -549,12 +560,6 @@ Policy Enabled State: If the ISATAP name is resolved successfully, the host will Policy Disabled State: No ISATAP interfaces are present on the host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -573,28 +578,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -611,19 +622,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. +This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. If you enable this policy setting, you can customize a UDP port for the Teredo client. If you disable or do not configure this policy setting, the local host setting is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -642,28 +647,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -680,7 +691,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. +This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure this policy setting, the local host setting is used. @@ -689,12 +700,6 @@ This policy setting contains only one state: Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -713,28 +718,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -751,7 +762,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate. +This policy setting allows you to configure the Teredo refresh rate. > [!NOTE] > On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. @@ -761,12 +772,6 @@ If you enable this policy setting, you can specify the refresh rate. If you cho If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -785,28 +790,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -823,19 +834,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. +This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -854,28 +859,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -892,7 +903,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. +This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. @@ -907,12 +918,6 @@ Client: The Teredo interface is present only when the host is not on a network t Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -931,28 +936,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -969,7 +980,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. +This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. If you do not configure this policy setting, the local host settings are used. @@ -978,12 +989,6 @@ If you enable this policy setting, Window Scaling Heuristics will be enabled and If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems caused by Firewalls or other middle boxes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -996,8 +1001,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +> diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md new file mode 100644 index 0000000000..ed42ebde3f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_TerminalServer +description: Policy CSP - ADMX_TerminalServer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TerminalServer + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_TerminalServer policies + +
      +
      + ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
      +
      + ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
      +
      + + +
      + + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + + + +ADMX Info: +- GP Friendly name: *Allow time zone redirection* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
      + + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Clipboard redirection* +- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
      + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 8e689c8544..bcfc9c477f 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -13,11 +13,16 @@ manager: dansimp --- # Policy CSP - ADMX_Thumbnails -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ## ADMX_Thumbnails policies @@ -41,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -79,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. +This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. @@ -88,12 +99,6 @@ If you enable this policy setting, File Explorer displays only icons and never d If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -112,28 +117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -150,7 +161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. +This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. @@ -159,12 +170,6 @@ If you enable this policy setting, File Explorer displays only icons and never d If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -183,28 +188,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -221,7 +232,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files. +Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. @@ -230,13 +241,7 @@ If you enable this policy setting, File Explorer does not create, read from, or If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Turn off the caching of thumbnails in hidden thumbs.db files* @@ -248,8 +253,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md new file mode 100644 index 0000000000..e5ddae159b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -0,0 +1,331 @@ +--- +title: Policy CSP - ADMX_TouchInput +description: Policy CSP - ADMX_TouchInput +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TouchInput + +
      + + +## ADMX_TouchInput policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_TouchInput/TouchInputOff_1 +
      +
      + ADMX_TouchInput/TouchInputOff_2 +
      +
      + ADMX_TouchInput/PanningEverywhereOff_1 +
      +
      + ADMX_TouchInput/PanningEverywhereOff_2 +
      +
      + + +
      + + +**ADMX_TouchInput/TouchInputOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +**ADMX_TouchInput/TouchInputOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +
      + + +**ADMX_TouchInput/PanningEverywhereOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
      + +**ADMX_TouchInput/PanningEverywhereOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index 7935207b97..f6a3adddd5 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_TPM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -63,28 +67,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -101,19 +111,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. +This policy setting allows you to manage the Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. -If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. +If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -132,28 +136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -170,15 +180,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -197,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -235,21 +245,15 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. +This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. +If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Policy or the local list. -The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. +The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. +If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -268,28 +272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -306,21 +316,15 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. +This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. +If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Policy or the default list. -The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. +The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. +If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -339,28 +343,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -377,7 +387,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. +This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. @@ -393,12 +403,6 @@ Choose the operating system managed TPM authentication setting of "None" for com > If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -417,28 +421,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -455,15 +465,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. +This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -482,28 +486,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -520,7 +530,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. +This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -539,13 +549,7 @@ An administrator with the TPM owner password may fully reset the TPM's hardware If this value is not configured, a default value of 480 minutes (8 hours) is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - +> ADMX Info: - GP Friendly name: *Standard User Lockout Duration* @@ -563,28 +567,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -601,7 +611,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -622,12 +632,6 @@ If this value is not configured, a default value of 4 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -646,28 +650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -684,7 +694,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -705,12 +715,6 @@ If this value is not configured, a default value of 9 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -729,28 +733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -767,15 +777,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. +This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b)clear the TPM on the system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -788,8 +792,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index d068903115..0d0a46df31 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_UserExperienceVirtualization -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -411,28 +415,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -450,7 +460,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator. +This policy setting configures the synchronization of user settings of Calculator. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. @@ -461,12 +471,6 @@ If you disable this policy setting, Calculator user settings are excluded from t If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -485,28 +489,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -524,7 +534,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. +This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. @@ -540,12 +550,6 @@ If you disable this policy setting, the sync provider is used to synchronize set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -564,28 +568,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -603,7 +613,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. +This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. @@ -615,12 +625,6 @@ If you disable this policy setting, no UE-V rollback state is copied to the sett If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -639,28 +643,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -677,7 +687,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. +This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. @@ -686,12 +696,6 @@ If you disable this policy setting, the Company Settings Center does not display If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -710,28 +714,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -748,7 +758,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. +This policy setting specifies the URL for the Contact IT link in the Company Settings Center. If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. @@ -756,12 +766,6 @@ If you disable this policy setting, the Company Settings Center does not display If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -780,28 +784,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -819,7 +829,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. @@ -833,12 +843,6 @@ If you do not configure this policy setting, any defined values are deleted. > If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -857,28 +861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -896,7 +906,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. @@ -905,12 +915,6 @@ If you disable this policy setting, all Windows Settings are excluded from the s If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -929,28 +933,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -967,17 +977,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. +This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -996,28 +1000,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1035,7 +1045,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. If you enable this policy setting, Finance user settings continue to sync. @@ -1044,12 +1054,6 @@ If you disable this policy setting, Finance user settings are excluded from sync If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1068,28 +1072,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1106,7 +1116,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. +This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. @@ -1115,12 +1125,6 @@ With this setting disabled, no notification appears. If you do not configure this policy setting, any defined values are deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1139,28 +1143,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1178,7 +1188,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. If you enable this policy setting, Games user settings continue to sync. @@ -1187,12 +1197,6 @@ If you disable this policy setting, Games user settings are excluded from synchr If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1211,28 +1215,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1250,7 +1260,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8. +This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. @@ -1261,12 +1271,6 @@ If you disable this policy setting, Internet Explorer 8 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1285,28 +1289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1324,7 +1334,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. @@ -1333,12 +1343,7 @@ If you disable this policy setting, Internet Explorer 9 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1357,28 +1362,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1396,7 +1407,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. @@ -1405,12 +1416,6 @@ If you disable this policy setting, Internet Explorer 10 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1429,28 +1434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1468,7 +1479,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. @@ -1477,12 +1488,6 @@ If you disable this policy setting, Internet Explorer 11 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1501,28 +1506,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1540,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. +This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. @@ -1550,12 +1561,6 @@ If you disable this policy setting, the user settings which are common between t If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1573,28 +1578,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1612,7 +1623,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. If you enable this policy setting, Maps user settings continue to sync. @@ -1621,12 +1632,6 @@ If you disable this policy setting, Maps user settings are excluded from synchro If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1645,28 +1650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1684,19 +1695,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. +This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1715,28 +1720,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1754,7 +1765,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. @@ -1763,12 +1774,6 @@ If you disable this policy setting, Microsoft Access 2010 user settings are excl If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1787,28 +1792,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1826,7 +1837,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. @@ -1835,12 +1846,6 @@ If you disable this policy setting, the user settings which are common between t If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1859,28 +1864,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1898,7 +1909,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. @@ -1906,12 +1917,7 @@ If you disable this policy setting, Microsoft Excel 2010 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1930,28 +1936,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1969,7 +1981,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. @@ -1978,12 +1990,7 @@ If you disable this policy setting, Microsoft InfoPath 2010 user settings are ex If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2002,28 +2009,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2041,7 +2054,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. @@ -2050,12 +2063,6 @@ If you disable this policy setting, Microsoft Lync 2010 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2074,28 +2081,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2113,7 +2126,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. @@ -2121,12 +2134,6 @@ If you disable this policy setting, Microsoft OneNote 2010 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2145,28 +2152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2184,7 +2197,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. @@ -2193,12 +2206,6 @@ If you disable this policy setting, Microsoft Outlook 2010 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2217,28 +2224,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2256,7 +2269,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. @@ -2265,12 +2278,7 @@ If you disable this policy setting, Microsoft PowerPoint 2010 user settings are If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2289,28 +2297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2328,7 +2342,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. @@ -2336,12 +2350,7 @@ If you disable this policy setting, Microsoft Project 2010 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2360,28 +2369,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2399,7 +2414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. @@ -2408,12 +2423,7 @@ If you disable this policy setting, Microsoft Publisher 2010 user settings are e If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2432,28 +2442,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2471,7 +2487,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. @@ -2480,12 +2496,6 @@ If you disable this policy setting, Microsoft SharePoint Designer 2010 user sett If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2502,30 +2512,36 @@ ADMX Info: **ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace** - +2
      - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2543,7 +2559,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. @@ -2552,12 +2568,7 @@ If you disable this policy setting, Microsoft SharePoint Workspace 2010 user set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2576,28 +2587,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2615,7 +2632,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. @@ -2624,12 +2641,6 @@ If you disable this policy setting, Microsoft Visio 2010 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2648,28 +2659,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2687,7 +2704,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. @@ -2696,12 +2713,6 @@ If you disable this policy setting, Microsoft Word 2010 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2720,28 +2731,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2759,7 +2776,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. @@ -2767,12 +2784,6 @@ If you disable this policy setting, Microsoft Access 2013 user settings are excl If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2791,28 +2802,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2830,7 +2847,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. @@ -2839,12 +2856,6 @@ If you disable this policy setting, certain user settings of Microsoft Access 20 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2863,28 +2874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2902,7 +2919,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. @@ -2911,12 +2928,6 @@ If you disable this policy setting, the user settings which are common between t If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2935,28 +2946,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2974,7 +2991,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. +This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. @@ -2984,12 +3001,6 @@ If you disable this policy setting, certain user settings which are common betwe If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3008,28 +3019,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3047,7 +3064,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. +This policy setting configures the synchronization of user settings for Microsoft Excel 2013. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. @@ -3057,12 +3074,6 @@ If you disable this policy setting, Microsoft Excel 2013 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3081,28 +3092,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3120,7 +3137,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. @@ -3128,12 +3145,7 @@ If you disable this policy setting, certain user settings of Microsoft Excel 201 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3152,28 +3164,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3191,7 +3209,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. @@ -3200,12 +3218,6 @@ If you disable this policy setting, Microsoft InfoPath 2013 user settings are ex If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3224,28 +3236,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3263,7 +3281,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. @@ -3272,12 +3290,7 @@ If you disable this policy setting, certain user settings of Microsoft InfoPath If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3296,28 +3309,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3335,7 +3354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. @@ -3343,12 +3362,7 @@ If you disable this policy setting, Microsoft Lync 2013 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3367,28 +3381,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3406,7 +3426,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. @@ -3415,12 +3435,7 @@ If you disable this policy setting, certain user settings of Microsoft Lync 2013 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3439,28 +3454,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3478,7 +3499,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. @@ -3487,12 +3508,7 @@ If you disable this policy setting, OneDrive for Business 2013 user settings are If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3511,28 +3527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3550,7 +3572,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. @@ -3559,12 +3581,7 @@ If you disable this policy setting, Microsoft OneNote 2013 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3583,28 +3600,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3622,7 +3645,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. @@ -3631,12 +3654,7 @@ If you disable this policy setting, certain user settings of Microsoft OneNote 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3655,28 +3673,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3694,7 +3718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. @@ -3702,12 +3726,7 @@ If you disable this policy setting, Microsoft Outlook 2013 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3726,28 +3745,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3765,7 +3790,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. @@ -3774,12 +3799,7 @@ If you disable this policy setting, certain user settings of Microsoft Outlook 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3798,28 +3818,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3837,7 +3863,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. @@ -3846,12 +3872,7 @@ If you disable this policy setting, Microsoft PowerPoint 2013 user settings are If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3870,28 +3891,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3909,7 +3936,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. @@ -3918,12 +3945,7 @@ If you disable this policy setting, certain user settings of Microsoft PowerPoin If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3942,28 +3964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3981,7 +4009,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. @@ -3989,12 +4017,7 @@ If you disable this policy setting, Microsoft Project 2013 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4013,28 +4036,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4052,7 +4081,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. @@ -4061,12 +4090,6 @@ If you disable this policy setting, certain user settings of Microsoft Project 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4085,28 +4108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4124,7 +4153,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. @@ -4133,12 +4162,7 @@ If you disable this policy setting, Microsoft Publisher 2013 user settings are e If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4157,28 +4181,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4196,7 +4226,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. @@ -4205,12 +4235,7 @@ If you disable this policy setting, certain user settings of Microsoft Publisher If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4229,28 +4254,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4268,7 +4299,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. @@ -4277,12 +4308,7 @@ If you disable this policy setting, Microsoft SharePoint Designer 2013 user sett If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4300,28 +4326,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4339,7 +4371,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. @@ -4348,12 +4380,7 @@ If you disable this policy setting, certain user settings of Microsoft SharePoin If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4371,28 +4398,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4410,7 +4443,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. @@ -4419,12 +4452,6 @@ If you disable this policy setting, Microsoft Office 2013 Upload Center user set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4443,28 +4470,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4482,7 +4515,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. @@ -4491,12 +4524,7 @@ If you disable this policy setting, Microsoft Visio 2013 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4515,28 +4543,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4554,7 +4588,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. @@ -4563,12 +4597,7 @@ If you disable this policy setting, certain user settings of Microsoft Visio 201 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4587,28 +4616,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4626,7 +4661,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. @@ -4635,12 +4670,6 @@ If you disable this policy setting, Microsoft Word 2013 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4659,28 +4688,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4698,7 +4733,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. @@ -4707,12 +4742,6 @@ If you disable this policy setting, certain user settings of Microsoft Word 2013 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4731,28 +4760,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4770,7 +4805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. @@ -4779,12 +4814,6 @@ If you disable this policy setting, Microsoft Access 2016 user settings are excl If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4803,28 +4832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4842,7 +4877,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. @@ -4851,12 +4886,7 @@ If you disable this policy setting, certain user settings of Microsoft Access 20 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4875,28 +4905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4914,7 +4950,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. @@ -4923,12 +4959,7 @@ If you disable this policy setting, the user settings which are common between t If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4947,28 +4978,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4986,7 +5023,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. +This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. @@ -4996,12 +5033,7 @@ If you disable this policy setting, certain user settings which are common betwe If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5020,28 +5052,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5059,7 +5097,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. @@ -5068,12 +5106,7 @@ If you disable this policy setting, Microsoft Excel 2016 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5092,28 +5125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5131,7 +5170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. @@ -5140,12 +5179,7 @@ If you disable this policy setting, certain user settings of Microsoft Excel 201 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5164,28 +5198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5203,7 +5243,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. @@ -5212,12 +5252,7 @@ If you disable this policy setting, Microsoft Lync 2016 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5236,28 +5271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5275,7 +5316,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. @@ -5284,12 +5325,7 @@ If you disable this policy setting, certain user settings of Microsoft Lync 2016 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5308,28 +5344,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5347,7 +5389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. @@ -5356,12 +5398,7 @@ If you disable this policy setting, OneDrive for Business 2016 user settings are If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5380,28 +5417,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5419,7 +5462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. @@ -5428,12 +5471,6 @@ If you disable this policy setting, Microsoft OneNote 2016 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5452,28 +5489,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5491,7 +5534,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. @@ -5500,12 +5543,7 @@ If you disable this policy setting, certain user settings of Microsoft OneNote 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5524,28 +5562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5563,7 +5607,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. @@ -5572,12 +5616,6 @@ If you disable this policy setting, Microsoft Outlook 2016 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5596,28 +5634,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5635,7 +5679,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. @@ -5644,12 +5688,7 @@ If you disable this policy setting, certain user settings of Microsoft Outlook 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5668,28 +5707,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5707,7 +5752,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. @@ -5716,12 +5761,6 @@ If you disable this policy setting, Microsoft PowerPoint 2016 user settings are If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5740,28 +5779,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5779,7 +5824,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. @@ -5788,12 +5833,6 @@ If you disable this policy setting, certain user settings of Microsoft PowerPoin If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5812,28 +5851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5851,7 +5896,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016. +This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. @@ -5861,12 +5906,7 @@ If you disable this policy setting, Microsoft Project 2016 user settings are exc If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5885,28 +5925,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5924,7 +5970,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. @@ -5932,12 +5978,7 @@ If you disable this policy setting, certain user settings of Microsoft Project 2 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5956,28 +5997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5995,7 +6042,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. @@ -6004,12 +6051,7 @@ If you disable this policy setting, Microsoft Publisher 2016 user settings are e If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6028,28 +6070,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6067,7 +6115,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. @@ -6076,12 +6124,7 @@ If you disable this policy setting, certain user settings of Microsoft Publisher If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6099,28 +6142,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6138,7 +6187,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. @@ -6147,12 +6196,7 @@ If you disable this policy setting, Microsoft Office 2016 Upload Center user set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6171,28 +6215,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6210,7 +6260,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. @@ -6219,12 +6269,6 @@ If you disable this policy setting, Microsoft Visio 2016 user settings are exclu If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6243,28 +6287,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6282,7 +6332,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. @@ -6291,12 +6341,7 @@ If you disable this policy setting, certain user settings of Microsoft Visio 201 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6315,28 +6360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6354,7 +6405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. @@ -6363,12 +6414,6 @@ If you disable this policy setting, Microsoft Word 2016 user settings are exclud If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6387,28 +6432,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6426,7 +6477,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. @@ -6435,12 +6486,7 @@ If you disable this policy setting, certain user settings of Microsoft Word 2016 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6459,28 +6505,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6498,7 +6550,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. @@ -6507,12 +6559,7 @@ If you disable this policy setting, Microsoft Office 365 Access 2013 user settin If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6531,28 +6578,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6570,7 +6623,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. @@ -6579,12 +6632,7 @@ If you disable this policy setting, Microsoft Office 365 Access 2016 user settin If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6603,28 +6651,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6642,7 +6696,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. @@ -6651,12 +6705,7 @@ If you disable this policy setting, user settings which are common between the M If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6674,28 +6723,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6713,7 +6768,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. @@ -6722,12 +6777,7 @@ If you disable this policy setting, user settings which are common between the M If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6746,28 +6796,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6785,7 +6841,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. @@ -6794,12 +6850,7 @@ If you disable this policy setting, Microsoft Office 365 Excel 2013 user setting If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6818,28 +6869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6857,7 +6914,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. @@ -6866,12 +6923,7 @@ If you disable this policy setting, Microsoft Office 365 Excel 2016 user setting If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6890,28 +6942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -6929,7 +6987,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. @@ -6937,12 +6995,7 @@ If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user sett If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -6961,28 +7014,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7000,7 +7059,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. @@ -7009,12 +7068,7 @@ If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7033,28 +7087,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7072,7 +7132,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. @@ -7081,12 +7141,7 @@ If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7105,28 +7160,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7144,7 +7205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. @@ -7153,12 +7214,7 @@ If you disable this policy setting, Microsoft Office 365 OneNote 2013 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7177,28 +7233,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7216,7 +7278,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. @@ -7225,12 +7287,7 @@ If you disable this policy setting, Microsoft Office 365 OneNote 2016 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7249,28 +7306,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7288,7 +7351,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. @@ -7297,12 +7360,7 @@ If you disable this policy setting, Microsoft Office 365 Outlook 2013 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7321,28 +7379,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7360,7 +7424,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. @@ -7369,12 +7433,7 @@ If you disable this policy setting, Microsoft Office 365 Outlook 2016 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7393,28 +7452,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7432,7 +7497,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. @@ -7441,12 +7506,7 @@ If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user se If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7465,28 +7525,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7504,7 +7570,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. @@ -7513,12 +7579,7 @@ If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user se If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7537,28 +7598,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7576,7 +7643,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. @@ -7585,12 +7652,7 @@ If you disable this policy setting, Microsoft Office 365 Project 2013 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7608,28 +7670,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7647,7 +7715,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. @@ -7656,12 +7724,7 @@ If you disable this policy setting, Microsoft Office 365 Project 2016 user setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7680,28 +7743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7719,7 +7788,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. @@ -7728,12 +7797,7 @@ If you disable this policy setting, Microsoft Office 365 Publisher 2013 user set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7752,28 +7816,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7791,7 +7861,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. @@ -7800,12 +7870,6 @@ If you disable this policy setting, Microsoft Office 365 Publisher 2016 user set If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7824,28 +7888,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7863,7 +7933,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. @@ -7872,12 +7942,7 @@ If you disable this policy setting, Microsoft Office 365 SharePoint Designer 201 If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -7896,28 +7961,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -7935,7 +8006,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. @@ -7944,12 +8015,6 @@ If you disable this policy setting, Microsoft Office 365 Visio 2013 user setting If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7968,28 +8033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8007,7 +8078,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. @@ -8016,12 +8087,7 @@ If you disable this policy setting, Microsoft Office 365 Visio 2016 user setting If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8040,28 +8106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8079,7 +8151,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. @@ -8088,12 +8160,7 @@ If you disable this policy setting, Microsoft Office 365 Word 2013 user settings If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8112,28 +8179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8151,7 +8224,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. @@ -8160,12 +8233,7 @@ If you disable this policy setting, Microsoft Office 365 Word 2016 user settings If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8184,28 +8252,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8223,7 +8297,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. If you enable this policy setting, Music user settings continue to sync. @@ -8231,12 +8305,7 @@ If you disable this policy setting, Music user settings are excluded from the sy If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8255,28 +8324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8294,7 +8369,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. If you enable this policy setting, News user settings continue to sync. @@ -8303,12 +8378,7 @@ If you disable this policy setting, News user settings are excluded from synchro If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8327,28 +8397,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8366,7 +8442,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. If you enable this policy setting, the Notepad user settings continue to synchronize. @@ -8375,12 +8451,7 @@ If you disable this policy setting, Notepad user settings are excluded from the If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8399,28 +8470,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8438,7 +8515,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. If you enable this policy setting, Reader user settings continue to sync. @@ -8448,12 +8525,7 @@ If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8472,28 +8544,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8511,19 +8589,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. +This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8542,28 +8615,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8581,19 +8660,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored. +This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy setting, the user settings are stored in the specified location. If you disable or do not configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8612,28 +8686,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8651,7 +8731,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. +This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. @@ -8664,12 +8744,7 @@ If you disable this policy setting, the UE-V Agent will not use the custom setti If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8688,28 +8763,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8727,7 +8808,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. If you enable this policy setting, Sports user settings continue to sync. @@ -8736,12 +8817,7 @@ If you disable this policy setting, Sports user settings are excluded from synch If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8760,28 +8836,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8799,15 +8881,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. +This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8825,28 +8902,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8864,7 +8947,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. @@ -8873,12 +8956,7 @@ With this setting disabled, the UE-V Agent does not synchronize settings over a If you do not configure this policy setting, any defined values are deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8897,28 +8975,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -8936,7 +9020,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. @@ -8945,12 +9029,7 @@ With this setting disabled, the UE-V Agent will not synchronize settings over a If you do not configure this policy setting, any defined values are deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -8969,28 +9048,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9008,7 +9093,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. +This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. @@ -9017,12 +9102,7 @@ If you disable this policy setting, the sync provider doesn’t ping the setting If you do not configure this policy, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9041,28 +9121,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9079,7 +9165,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. +This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. @@ -9088,12 +9174,7 @@ With this setting disabled, only the settings of the Windows apps set to synchro If you do not configure this policy setting, any defined values are deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9112,28 +9193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9151,7 +9238,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. If you enable this policy setting, Travel user settings continue to sync. @@ -9160,12 +9247,7 @@ If you disable this policy setting, Travel user settings are excluded from synch If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9184,28 +9266,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9222,19 +9310,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. If you do not configure this policy setting, any defined values are deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9253,28 +9335,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9292,7 +9380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. If you enable this policy setting, Video user settings continue to sync. @@ -9301,12 +9389,7 @@ If you disable this policy setting, Video user settings are excluded from synchr If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9325,28 +9408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9364,7 +9453,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. If you enable this policy setting, Weather user settings continue to sync. @@ -9373,12 +9462,7 @@ If you disable this policy setting, Weather user settings are excluded from sync If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9396,28 +9480,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -9435,7 +9525,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. If you enable this policy setting, the WordPad user settings continue to synchronize. @@ -9444,12 +9534,7 @@ If you disable this policy setting, WordPad user settings are excluded from the If you do not configure this policy setting, any defined values will be deleted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -9461,7 +9546,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 7e23b796b2..65da2ac7ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -13,11 +13,15 @@ manager: dansimp --- # Policy CSP - ADMX_UserProfiles -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ## ADMX_UserProfiles policies @@ -57,28 +61,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -95,19 +105,16 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. +This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. + +> [!NOTE] +> One day is interpreted as 24 hours after a specific user profile was accessed. If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -126,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -164,21 +177,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. +This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. -Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. +> [!NOTE] +> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -197,28 +205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -235,7 +249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. +This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. @@ -247,12 +261,6 @@ If you disable or do not configure this policy setting, Windows will delete the > If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -309,7 +323,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. +This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. @@ -321,16 +335,7 @@ If you enable this policy setting, you can: - Specify a customized message notifying users of the oversized profile. - Determine how often the customized message is displayed. -> [!NOTE] -> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -349,28 +354,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -387,7 +398,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. +This policy setting will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. @@ -398,12 +409,6 @@ If you disable this policy setting or do not configure it, Windows logs on the u Also, see the "Delete cached copies of roaming profiles" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -422,28 +427,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -460,7 +471,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. +This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. @@ -471,12 +482,6 @@ If you enable this policy setting, you can change how long Windows waits for a r If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -495,28 +500,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -533,7 +544,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. +This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. @@ -549,12 +560,6 @@ If you disable or do not configure this policy setting, the user's home folder i If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -573,28 +578,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -611,7 +622,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. +This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: @@ -622,12 +633,6 @@ If you enable this policy setting, sharing of user name, picture and domain info If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -641,6 +646,4 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 2d0f47d74c..ceb56a9803 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_W32Time -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. +This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. @@ -166,12 +176,7 @@ This parameter controls whether or not the chaining mechanism is disabled. If ch This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -190,28 +195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -228,7 +239,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client. +This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. @@ -256,12 +267,7 @@ This NTP client value, expressed in seconds, controls how often a manually confi This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -280,28 +286,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -318,7 +330,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled. +This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. @@ -327,12 +339,7 @@ If you enable this policy setting, you can set the local computer clock to synch If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -351,28 +358,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -389,19 +402,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled. +This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -414,8 +421,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 3ec0e0695a..add85c7c05 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_WCM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,19 +90,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that power management is disabled when the machine enters connected standby mode. +This policy setting specifies that power management is disabled when the machine enters connected standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,28 +115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -149,7 +159,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows will soft-disconnect a computer from a network. +This policy setting determines whether Windows will soft-disconnect a computer from a network. If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. @@ -164,12 +174,7 @@ When soft disconnect is enabled: This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -188,28 +193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -226,7 +237,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. +This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. @@ -239,12 +250,6 @@ If this policy setting is set to 3, the behavior is similar to 2. However, if th This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -257,8 +262,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md new file mode 100644 index 0000000000..900905feee --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_WDI +description: Policy CSP - ADMX_WDI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WDI + +
      + + +## ADMX_WDI policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_WDI/WdiDpsScenarioExecutionPolicy +
      +
      + ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
      +
      + + +
      + + +**ADMX_WDI/WdiDpsScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. +- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. +- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. +When the service is stopped or disabled, diagnostic scenario data will not be deleted. +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario retention* +- GP name: *WdiDpsScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
      + + +**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. + +- If you enable this policy setting, you must select an execution level from the drop-down menu. + +If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario execution level* +- GP name: *WdiDpsScenarioDataSizeLimitPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
      + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index a289a23d5b..763b758caf 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_WinCal -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +43,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -77,7 +87,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -86,12 +96,6 @@ If you disable or do not configure this setting, Windows Calendar will be turned The default is for Windows Calendar to be turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -112,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -150,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -159,12 +169,7 @@ If you disable or do not configure this setting, Windows Calendar will be turned The default is for Windows Calendar to be turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,8 +182,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md deleted file mode 100644 index ab4c4a6c88..0000000000 --- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Policy CSP - ADMX_WindowsAnytimeUpgrade -description: Policy CSP - ADMX_WindowsAnytimeUpgrade -ms.author: dansimp -ms.localizationpriority: medium -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 09/29/2020 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - ADMX_WindowsAnytimeUpgrade -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      - - -## ADMX_WindowsAnytimeUpgrade policies - -
      -
      - ADMX_WindowsAnytimeUpgrade/Disabled -
      -
      - - -
      - - -**ADMX_WindowsAnytimeUpgrade/Disabled** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
      - - - -Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators. - -If you enable this policy setting, the wizard will not run. - -If you disable this policy setting or set it to Not Configured, the wizard will run. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Prevent the wizard from running.* -- GP name: *Disabled* -- GP path: *Windows Components\Add features to Windows 10* -- GP ADMX file name: *WindowsAnytimeUpgrade.admx* - - - -
      - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - - diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md new file mode 100644 index 0000000000..fe79bb59e1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -0,0 +1,182 @@ +--- +title: Policy CSP - ADMX_WindowsColorSystem +description: Policy CSP - ADMX_WindowsColorSystem +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsColorSystem + +
      + + +## ADMX_WindowsColorSystem policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      +
      + ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +
      +
      + ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +
      +
      + + +
      + + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_1* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + +
      + + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_2* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 80b1fb90ac..72c88fc9ca 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsConnectNow -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +46,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,19 +90,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +This policy setting prohibits access to Windows Connect Now (WCN) wizards. -If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. +If you disable or don't configure this policy setting, users can access the wizard tasks. They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,28 +115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -149,19 +159,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +This policy setting prohibits access to Windows Connect Now (WCN) wizards. -If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. +If you disable or don't configure this policy setting, users can access the wizard tasks. They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -180,28 +185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -218,25 +229,20 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. +This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. -Additional options are available to allow discovery and configuration over a specific medium. +More options are available to allow discovery and configuration over a specific medium. -If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. +If you enable this policy setting, more choices are available to turn off the operations over a specific medium. If you disable this policy setting, operations are disabled over all media. -If you do not configure this policy setting, operations are enabled over all media. +If you don't configure this policy setting, operations are enabled over all media. The default for this policy setting allows operations over all media. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -249,8 +255,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 7ffcac7be2..e1535033ad 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsExplorer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -247,28 +252,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -285,7 +296,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. +This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. @@ -295,12 +306,7 @@ If you disable or do not configure this policy setting, Folder Redirection does > If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -320,28 +326,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -358,7 +370,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. +This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. @@ -366,16 +378,9 @@ Enabling this policy will also turn off the preview pane and set the folder opti If you disable or not configure this policy, the default File Explorer behavior is applied to the user. -> [!NOTE] -> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -394,28 +399,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -432,19 +443,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. +Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -463,28 +469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -502,19 +514,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. +This policy setting allows you to specify a location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -533,28 +540,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -572,19 +585,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. +Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is consistent with Windows Vista's behavior in this scenario. This disables access to user-defined properties, and properties stored in NTFS secondary streams. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -603,28 +611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -641,7 +655,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. +This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. @@ -658,12 +672,7 @@ If you enable this policy, Windows Libraries features that rely on indexed file If you disable or do not configure this policy, all default Windows Libraries features will be enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -683,28 +692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -721,22 +736,17 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of known folders that should be disabled. +This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. -You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. +You can specify a known folder using its known folder ID or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. > [!NOTE] > Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -755,28 +765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -793,7 +809,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. +Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. File Explorer shows suggestion pop-ups as users type into the Search Box. @@ -803,12 +819,7 @@ These suggestions are based on their past entries into the Search Box. > If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -828,28 +839,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -866,7 +883,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. +This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. @@ -876,12 +893,7 @@ If you disable or do not configure this policy setting, file shortcut icons that > Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -901,28 +913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -939,7 +957,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. +This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. @@ -955,12 +973,7 @@ If you disable this policy, SmartScreen will be turned off for all users. Users If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -979,28 +992,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1017,7 +1036,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting is designed to ensure that shell extensions can operate on a per-user basis. +This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. @@ -1026,12 +1045,7 @@ For shell extensions that have been approved by the administrator and are availa For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1050,28 +1064,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1089,19 +1109,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. +This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1120,28 +1135,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1158,19 +1179,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the display of snippets in Content view mode. +This policy setting allows you to turn off the display of snippets in Content view mode. If you enable this policy setting, File Explorer will not display snippets in Content view mode. If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1189,28 +1205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1228,7 +1250,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1239,12 +1261,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1263,28 +1280,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1302,7 +1325,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1313,12 +1336,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1337,28 +1355,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1376,7 +1400,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1387,12 +1411,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1411,28 +1430,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1450,7 +1475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1461,12 +1486,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1485,28 +1505,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1524,7 +1550,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1535,12 +1561,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1559,28 +1580,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1598,7 +1625,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1609,12 +1636,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1633,28 +1655,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1672,7 +1700,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1683,12 +1711,7 @@ If you do not configure this policy setting, users cannot preview items or get c Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1707,28 +1730,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1746,7 +1775,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1757,12 +1786,7 @@ If you do not configure this policy setting, users cannot preview items or get c Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1781,28 +1805,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1820,7 +1850,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1831,12 +1861,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1855,28 +1880,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1894,7 +1925,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. @@ -1905,12 +1936,7 @@ If you do not configure this policy setting, users can preview items and get cus Changes to this setting may not be applied until the user logs off from Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1929,28 +1955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1968,7 +2000,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1977,12 +2009,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2001,28 +2028,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2040,7 +2073,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2049,12 +2082,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2073,28 +2101,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2112,7 +2146,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2121,12 +2155,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2145,28 +2174,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2184,7 +2219,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2193,12 +2228,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2217,28 +2247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2256,7 +2292,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2265,12 +2301,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2289,28 +2320,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2328,7 +2365,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2337,12 +2374,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2361,28 +2393,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2400,7 +2438,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2409,12 +2447,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2434,28 +2467,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2473,7 +2512,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2482,12 +2521,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2507,28 +2541,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2546,7 +2586,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2555,12 +2595,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2579,28 +2614,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2618,7 +2659,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -2627,12 +2668,7 @@ If you disable this policy setting, users are prevented from performing OpenSear If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2651,28 +2687,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2689,7 +2731,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. +This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. @@ -2698,12 +2740,7 @@ If you enable this policy setting, Windows only searches the current target path If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2722,28 +2759,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2760,19 +2803,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. +This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2791,28 +2829,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2829,23 +2873,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. +Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. If you enable this policy setting, the Back button is removed from the standard Open dialog box. If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. -> [!NOTE] -> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2864,28 +2899,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2902,7 +2943,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. +This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. @@ -2912,12 +2953,7 @@ If you disable or do not configure this policy setting, users are able to use th > This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2936,28 +2972,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -2974,7 +3016,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off caching of thumbnail pictures. +This policy setting allows you to turn off caching of thumbnail pictures. If you enable this policy setting, thumbnail views are not cached. @@ -2984,12 +3026,7 @@ If you disable or do not configure this policy setting, thumbnail views are cach > For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3008,28 +3045,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3046,7 +3089,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. +This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. @@ -3055,12 +3098,7 @@ Effects, such as animation, are designed to enhance the user's experience but mi If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3079,28 +3117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3117,17 +3161,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. +Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3146,28 +3185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3184,19 +3229,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the DFS tab from File Explorer. +This policy setting allows you to remove the DFS tab from File Explorer. If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. If you disable or do not configure this policy setting, the DFS tab is available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3215,28 +3255,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3253,7 +3299,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide these specified drives in My Computer. +This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. @@ -3265,12 +3311,7 @@ If you enable this policy setting, select a drive or combination of drives in th If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3289,28 +3330,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3327,7 +3374,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. +Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. @@ -3339,12 +3386,7 @@ To remove computers in the user's workgroup or domain from lists of network reso > It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3363,28 +3405,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3401,7 +3449,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the list of most recently used files from the Open dialog box. +Removes the list of most recently used files from the Open dialog box. If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. @@ -3409,16 +3457,10 @@ This setting, and others in this folder, lets you remove new features added in W To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. -> [!NOTE] -> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3437,28 +3479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3475,17 +3523,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the File menu from My Computer and File Explorer. +Removes the File menu from My Computer and File Explorer. This setting does not prevent users from using other methods to perform tasks available on the File menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3504,28 +3547,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3542,7 +3591,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. +This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. @@ -3551,12 +3600,7 @@ If you enable this policy setting, users will receive an error message if they t If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3575,28 +3619,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3613,15 +3663,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. +Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3640,28 +3685,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3678,22 +3729,17 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. +Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools. This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. -> [!TIP] +> [!NOTE] > To hide all context menus, use the "Remove File Explorer's default context menu" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3712,28 +3758,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3750,22 +3802,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. +This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. -> [!NOTE] -> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3784,28 +3828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3822,24 +3872,19 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using File Explorer or Network Locations to map or disconnect network drives. +Prevents users from using File Explorer or Network Locations to map or disconnect network drives. If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> This setting was documented incorrectly on the Explain tab in MDM Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. > > It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3858,28 +3903,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3896,17 +3947,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). +This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). -If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. +If this MDM Policy is enabled, no notifications will be shown. If the MDM Policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3925,28 +3971,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -3963,20 +4015,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. +Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. -> [!NOTE] -> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3995,28 +4039,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4033,19 +4083,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. +When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4064,28 +4109,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4102,7 +4153,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from submitting alternate logon credentials to install a program. +Prevents users from submitting alternate logon credentials to install a program. This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. @@ -4113,12 +4164,7 @@ If you disable this setting or do not configure it, the "Install Program As Othe By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4137,28 +4183,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4175,19 +4227,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. +If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4206,28 +4253,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4244,19 +4297,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Security tab from File Explorer. +Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. If you disable or do not configure this setting, users will be able to access the security tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4275,28 +4323,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4313,19 +4367,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. +This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4344,28 +4393,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4383,19 +4438,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. +This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4414,28 +4464,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4452,17 +4508,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. +Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4481,28 +4532,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4519,7 +4576,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. +Prevents users from using My Computer to gain access to the content of selected drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. @@ -4531,12 +4588,7 @@ To use this setting, select a drive or combination of drives from the drop-down > Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4555,28 +4607,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4593,7 +4651,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. +Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. By using this setting, you can disable these Windows Key hotkeys. @@ -4602,12 +4660,7 @@ If you enable this setting, the Windows Key hotkeys are unavailable. If you disable or do not configure this setting, the Windows Key hotkeys are available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4626,28 +4679,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4664,7 +4723,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. +This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. @@ -4675,12 +4734,7 @@ This policy setting does not prevent users from connecting to computers in their To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4699,28 +4753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4737,7 +4797,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. +Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: @@ -4753,16 +4813,9 @@ Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachment If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. -> [!NOTE] -> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4781,28 +4834,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4819,7 +4878,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prompts users for alternate logon credentials during network-based installations. +Prompts users for alternate logon credentials during network-based installations. This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. @@ -4833,12 +4892,7 @@ If the dialog box does not appear, the installation proceeds with the current us > If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4857,28 +4911,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4895,7 +4955,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Limits the percentage of a volume's disk space that can be used to store deleted files. +Limits the percentage of a volume's disk space that can be used to store deleted files. If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. @@ -4905,12 +4965,7 @@ If you disable or do not configure this setting, users can change the total amou > This setting is applied to all volumes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -4929,28 +4984,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -4967,7 +5028,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. @@ -4976,12 +5037,7 @@ If you disable this policy setting the protocol is in the protected mode, allowi If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5000,28 +5056,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5038,7 +5100,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. @@ -5047,12 +5109,7 @@ If you disable this policy setting the protocol is in the protected mode, allowi If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5071,28 +5128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5109,7 +5172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Shows or hides hibernate from the power options menu. +Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). @@ -5118,12 +5181,7 @@ If you disable this policy setting, the hibernate option will never be shown in If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5142,28 +5200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5180,7 +5244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Shows or hides sleep from the power options menu. +Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). @@ -5189,12 +5253,7 @@ If you disable this policy setting, the sleep option will never be shown in the If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5213,28 +5272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5251,23 +5316,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. +This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5286,28 +5346,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -5324,23 +5390,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}). +This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -5353,7 +5414,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md deleted file mode 100644 index bc2f8b6a02..0000000000 --- a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md +++ /dev/null @@ -1,348 +0,0 @@ ---- -title: Policy CSP - ADMX_WindowsFileProtection -description: Policy CSP - ADMX_WindowsFileProtection -ms.author: dansimp -ms.localizationpriority: medium -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 01/03/2021 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - ADMX_WindowsFileProtection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      - - -## ADMX_WindowsFileProtection policies - -
      -
      - ADMX_WindowsFileProtection/WFPShowProgress -
      -
      - ADMX_WindowsFileProtection/WFPQuota -
      -
      - ADMX_WindowsFileProtection/WFPScan -
      -
      - ADMX_WindowsFileProtection/WFPDllCacheDir -
      -
      - - -
      - - -**ADMX_WindowsFileProtection/WFPShowProgress** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
      - - - -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it might confuse the users. - -- If you enable this policy setting, the file scan window does not appear during file scanning. -- If you disable or do not configure this policy setting, the file scan progress window appears. - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Hide the file scan progress window* -- GP name: *WFPShowProgress* -- GP path: *Windows File Protection!SfcShowProgress* -- GP ADMX file name: *WindowsFileProtection.admx* - - - -
      - - -**ADMX_WindowsFileProtection/WFPQuota** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
      - - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache. -Windows File Protection adds protected files to the cache until the cache content reaches the quota. -If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota. - -- If you enable this policy setting, enter the maximum amount of disk space to be used (in MB). -To indicate that the cache size is unlimited, select "4294967295" as the maximum amount of disk space. - -- If you disable this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003. -> [!NOTE] -> Icon size is dependent upon what the user has set it to in the previous session. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Limit Windows File Protection cache size* -- GP name: *WFPQuota* -- GP path: *System\Windows File Protection* -- GP ADMX file name: *WindowsFileProtection.admx* - - - -
      - - -**ADMX_WindowsFileProtection/WFPScan** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
      - - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set when Windows File Protection scans protected files. -This policy setting directs Windows File Protection to enumerate and scan all system files for changes. - -- If you enable this policy setting, select a rate from the "Scanning Frequency" box. -You can use this setting to direct Windows File Protection to scan files more often. --- "Do not scan during startup," the default, scans files only during setup. --- "Scan during startup" also scans files each time you start Windows XP. -This setting delays each startup. - -- If you disable or do not configure this policy setting, by default, files are scanned only during setup. - -> [!NOTE] -> This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides. - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Set Windows File Protection scanning* -- GP name: *WFPScan* -- GP path: *System\Windows File Protection* -- GP ADMX file name: *WindowsFileProtection.admx* - - - -
      - - -**ADMX_WindowsFileProtection/WFPDllCacheDir** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procross mark
      Businesscross mark
      Enterprisecheck mark
      Educationcross mark
      - - -
      - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
      - - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies an alternate location for the Windows File Protection cache. - -- If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box. -- If you disable this setting or do not configure it, the Windows File Protection cache is located in the "%Systemroot%\System32\Dllcache directory". - -> [!NOTE] -> Do not add the cache on a network shared directory. - - -> [!NOTE] -> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". - -If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. - -> [!NOTE] -> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -> -> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Specify Windows File Protection cache location* -- GP name: *WFPDllCacheDir* -- GP path: *System\Windows File Protection* -- GP ADMX file name: *WindowsFileProtection.admx* - - - -
      - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 43885e4dc8..dad60fc2d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsMediaDRM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -74,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). +This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. @@ -83,12 +93,7 @@ When this policy is enabled, programs are not able to acquire licenses for secur When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +106,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 73bedb6677..2ec079bff6 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsMediaPlayer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -96,28 +100,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -134,7 +144,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. +This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -153,12 +163,7 @@ If you disable this policy setting, the HTTP proxy server cannot be used and the If you do not configure this policy setting, users can configure the HTTP proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,28 +182,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -215,7 +226,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. +This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -233,12 +244,7 @@ If you disable this policy setting, the MMS proxy server cannot be used and user If you do not configure this policy setting, users can configure the MMS proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -257,28 +263,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -295,7 +307,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. +This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -311,12 +323,7 @@ If you disable this policy setting, the RTSP proxy server cannot be used and use If you do not configure this policy setting, users can configure the RTSP proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -335,28 +342,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -373,7 +386,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes. +This policy setting allows you to turn off do not show first use dialog boxes. If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. @@ -382,12 +395,7 @@ This policy setting prevents the dialog boxes which allow users to select privac If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -406,28 +414,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -444,19 +458,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab. +This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -475,28 +484,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -513,7 +528,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. +This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -522,12 +537,7 @@ If you disable or do not configure this policy setting, users can show or hide t If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -546,28 +556,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -584,7 +600,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. +This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -593,12 +609,7 @@ When this policy is not configured or disabled, users can show or hide the ancho When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -617,28 +628,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -655,7 +672,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring. +This policy setting allows you to prevent video smoothing from occurring. If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. @@ -666,12 +683,7 @@ If you do not configure this policy setting, video smoothing occurs if necessary Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -690,28 +702,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -728,7 +746,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback. +This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. @@ -737,12 +755,7 @@ If you disable this policy setting, a screen saver does not interrupt playback e If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -761,28 +774,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -799,7 +818,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player. +This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. @@ -808,12 +827,7 @@ The default privacy settings are used for the options on the Privacy tab unless If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -832,28 +846,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -870,19 +890,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player. +This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -901,28 +916,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -939,7 +960,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. +This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. @@ -951,12 +972,7 @@ The "Use default buffering" and "Buffer" options on the Performance tab in the P If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -975,28 +991,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1013,7 +1035,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs. +This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. @@ -1022,12 +1044,7 @@ If you disable this policy setting, codecs are automatically downloaded and the If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1046,28 +1063,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1084,19 +1107,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. +This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1115,28 +1133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1153,19 +1177,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player. +This policy setting allows you to prevent media sharing from Windows Media Player. If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1184,28 +1203,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1222,19 +1247,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. +This policy setting allows you to prevent media information for music files from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1253,28 +1273,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1291,19 +1317,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. +This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1322,28 +1343,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1359,19 +1386,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. +This policy setting allows you to prevent radio station presets from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1390,28 +1412,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1428,19 +1456,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. +This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1459,28 +1482,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1497,7 +1526,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. +This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. @@ -1508,12 +1537,7 @@ A user has access only to the Player features that are available with the specif If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1532,28 +1556,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -1570,7 +1600,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. +This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. @@ -1581,12 +1611,7 @@ If you do not configure this policy setting, users can select the protocols to u If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1599,8 +1624,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 71e5c8b5aa..bb1d034198 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsRemoteManagement -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -39,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -77,17 +89,12 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. +This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -107,31 +114,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -145,19 +159,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. +This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -170,7 +179,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 815572c120..dd62e87f17 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -13,8 +13,15 @@ manager: dansimp --- # Policy CSP - ADMX_WindowsStore -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
      @@ -48,28 +55,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -86,19 +99,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. +This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -119,31 +127,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -157,19 +172,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. +This policy setting enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -190,31 +200,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -228,19 +245,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. +This policy setting enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -251,7 +263,7 @@ ADMX Info: -
      +
      @@ -261,31 +273,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -299,19 +318,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. +This policy setting denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -332,31 +346,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -370,19 +391,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. +This policy setting denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -395,6 +411,5 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index bff41ec699..65f15edfe1 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_WinInit -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -42,31 +47,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -80,19 +92,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. +This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If you enable this policy setting, the system does not create the named pipe remote shutdown interface. If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -111,31 +118,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -149,19 +163,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup. +This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. If you disable or do not configure this policy setting, the local setting is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -180,31 +189,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -218,19 +234,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. +This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -243,8 +254,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 357f16b165..8eaf9ca043 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_WinLogon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -51,31 +56,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -89,7 +101,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. +Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. @@ -99,12 +111,7 @@ If you disable this setting or do not configure it, the setting is ignored and t > To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -123,31 +130,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -161,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. +This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. @@ -170,12 +184,7 @@ For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,31 +204,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -233,7 +249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. +This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. If you enable this setting, warnings are not displayed to the user before the logon hours expire. @@ -243,12 +259,7 @@ If you disable or do not configure this setting, users receive warnings before t > If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,31 +278,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -305,7 +323,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. +This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. @@ -317,12 +335,7 @@ If you disable or do not configure this setting, the system takes no action when > If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -341,31 +354,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -380,19 +400,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. +This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. If disabled or not configured, no popup will be displayed to the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -411,31 +426,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -449,7 +471,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). +This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). If you enable this policy setting, you have one of four options: @@ -461,12 +483,7 @@ If you enable this policy setting, you have one of four options: If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,7 +496,6 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 30d6f460e5..d61e00df82 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Winsrv -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -36,31 +41,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -74,7 +86,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. +This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. @@ -85,12 +97,7 @@ By default, such applications are automatically terminated if they attempt to ca > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -103,8 +110,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 83fdd75390..15c3769dc1 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_wlansvc -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -42,28 +47,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -80,7 +91,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. +This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: @@ -89,12 +100,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost - Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -151,19 +163,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. +This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -182,28 +189,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      @@ -220,19 +233,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. +This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -245,8 +253,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md new file mode 100644 index 0000000000..d66b03aaee --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -0,0 +1,109 @@ +--- +title: Policy CSP - ADMX_WordWheel +description: Policy CSP - ADMX_WordWheel +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/22/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WordWheel + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_WordWheel policies + +
      +
      + ADMX_WordWheel/CustomSearch +
      +
      + + +
      + + +**ADMX_WordWheel/CustomSearch** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +Set up the menu name and URL for the custom Internet search provider. + +- If you enable this setting, the specified menu name and URL will be used for Internet searches. +- If you disable or not configure this setting, the default Internet search provider will be used. + + + + + +ADMX Info: +- GP Friendly name: *Custom Instant Search Internet search provider* +- GP name: *CustomSearch* +- GP path: *Windows Components\Instant Search* +- GP ADMX file name: *WordWheel.admx* + + + +
      + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md new file mode 100644 index 0000000000..35838e210e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - ADMX_WorkFoldersClient +description: Policy CSP - ADMX_WorkFoldersClient +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/22/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WorkFoldersClient + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      + + +## ADMX_WorkFoldersClient policies + +
      +
      + ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker +
      +
      + ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders +
      +
      + ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders +
      +
      + + +
      + + +**ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. + +- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. + +This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up. +- If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. + + + + + +ADMX Info: +- GP Friendly name: *Force automatic setup for all users* +- GP name: *Pol_UserEnableTokenBroker* +- GP path: *Windows Components\Work Folders* +- GP ADMX file name: *WorkFoldersClient.admx* + + + + +
      + + +**ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. + +- If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. + +If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables. + +> [!NOTE] +> In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. + +The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. If you enable this policy setting, on-demand file access is enabled. + +- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs. + +If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. + +The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. + + + + + +ADMX Info: +- GP Friendly name: *Specify Work Folders settings* +- GP name: *Pol_UserEnableWorkFolders* +- GP path: *Windows Components\Work Folders* +- GP ADMX file name: *WorkFoldersClient.admx* + + + +
      + + +**ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      BusinessNoNo
      EnterpriseYesYes
      EducationYesYes
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
      + + + +This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OAuth2 token flow used in previous versions. + + + + + +ADMX Info: +- GP Friendly name: *Enables the use of Token Broker for AD FS authentication* +- GP name: *Pol_MachineEnableWorkFolders* +- GP path: *Windows Components\Work Folders* +- GP ADMX file name: *WorkFoldersClient.admx* + + + + + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 6538f66279..2cc6b9b072 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_WPN -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -51,31 +56,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -89,7 +101,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours. +This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. @@ -98,12 +110,7 @@ If you disable this policy setting, voice and video calls will be allowed during If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,31 +129,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -160,7 +174,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen. +This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. @@ -169,12 +183,7 @@ If you disable or do not configure this policy setting, toast notifications on t No reboots or service restarts are required for this policy setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -193,31 +202,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -231,7 +247,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality. +This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. @@ -240,12 +256,7 @@ If you disable this policy setting, toast notifications will be suppressed and s If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,31 +275,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -302,7 +320,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications. +This policy setting turns off toast notifications for applications. If you enable this policy setting, applications will not be able to raise toast notifications. @@ -315,12 +333,7 @@ If you disable or do not configure this policy setting, toast notifications are No reboots or service restarts are required for this policy setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -339,31 +352,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -377,7 +397,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. +This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. @@ -386,12 +406,7 @@ If you disable this policy setting, a default value will be used, and users will If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,31 +425,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcross markYesYes
      +
      @@ -448,7 +470,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. +This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. @@ -457,12 +479,7 @@ If you disable this policy setting, a default value will be used, and users will If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -475,8 +492,7 @@ ADMX Info:
      -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 87aec967af..2337443c82 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationDefaults -description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10. +description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -77,9 +83,9 @@ manager: dansimp -Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. +This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML. -If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. +If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied. @@ -100,7 +106,7 @@ To create the SyncML, follow these steps:
    • Paste the base64 encoded XML into the SyncML
      • -Here is an example output from the dism default association export command: +Here's an example output from the dism default association export command: ```xml @@ -113,13 +119,13 @@ Here is an example output from the dism default association export command: @@ -155,28 +161,34 @@ Here is the SyncMl example: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -199,7 +211,7 @@ Enabling this policy setting enables web-to-app linking so that apps can be laun Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -217,16 +229,7 @@ This setting supports a range of values between 0 and 1.
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 2843bc4633..933d541866 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationManagement -description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10. +description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -73,28 +73,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home✔️YesYes
      Pro✔️YesYes
      Business✔️YesYes
      Enterprise✔️YesYes
      Education✔️YesYes
      @@ -142,28 +148,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      HomeNoNo
      Pro✔️YesYes
      Business✔️YesYes
      Enterprise✔️YesYes
      Education✔️YesYes
      @@ -211,28 +223,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      HomeNoNo
      Pro✔️YesYes
      Business✔️YesYes
      Enterprise✔️YesYes
      Education✔️YesYes
      @@ -280,28 +298,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      HomeNoNo
      Pro✔️YesYes
      Business✔️YesYes
      Enterprise✔️YesYes
      Education✔️YesYes
      @@ -351,28 +375,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      HomeNoNo
      Pro✔️YesYes
      Business✔️YesYes
      Enterprise✔️YesYes
      Education✔️YesYes
      @@ -419,30 +449,35 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + + -
      Windows EditionSupported?EditionWindows 10Windows 11
      HomeNoNo
      ProNoNo
      Business✔️8YesYes
      Enterprise✔️8YesYes
      Education✔️8YesYes
      @@ -458,7 +493,7 @@ Most restricted value: 0 -Added in Windows 10, version 2004. + Manages non-administrator users' ability to install Windows app packages. @@ -749,9 +784,11 @@ If you enable this policy setting, privileges are extended to all programs. Thes If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. -Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. +> [!NOTE] +> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. -Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. +> [!CAUTION] +> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. @@ -1100,15 +1137,6 @@ XSD:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 5985ed58aa..3d94d24363 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - AppRuntime +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -81,12 +94,7 @@ If you enable this policy setting, Windows Store apps that typically require a M If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -99,16 +107,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 08865e0dd4..e21656192a 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - AppVirtualization +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -117,31 +123,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -158,12 +171,7 @@ manager: dansimp This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,28 +191,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -224,12 +238,7 @@ ADMX Info: Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -249,28 +258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -290,12 +305,7 @@ ADMX Info: Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -315,28 +325,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -356,12 +372,7 @@ ADMX Info: Enables scripts defined in the package manifest of configuration files that should run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -381,28 +392,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -422,12 +439,7 @@ ADMX Info: Enables a UX to display to the user when a publishing refresh is performed on the client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -447,28 +459,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -498,12 +516,7 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -523,28 +536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -564,12 +583,7 @@ ADMX Info: Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -589,28 +603,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -630,12 +650,7 @@ ADMX Info: Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -655,28 +670,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -696,16 +717,11 @@ ADMX Info: Specifies how new packages should be loaded automatically by App-V on a specific computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP Friendly name: *Specify what to load in background (aka AutoLoad)* +- GP Friendly name: *Specify what to load in background (also known as AutoLoad)* - GP name: *Steaming_Autoload* - GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -721,28 +737,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -762,12 +784,7 @@ ADMX Info: Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -787,28 +804,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -828,12 +851,7 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -853,28 +871,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -894,12 +918,7 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -919,28 +938,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -978,12 +1003,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1003,28 +1023,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1062,12 +1088,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1087,28 +1108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1146,12 +1173,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1171,28 +1193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1230,12 +1258,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1255,28 +1278,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1314,12 +1343,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1339,28 +1363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1380,12 +1410,7 @@ ADMX Info: Specifies the path to a valid certificate in the certificate store. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1405,28 +1430,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1446,12 +1477,7 @@ ADMX Info: This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1471,28 +1497,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1512,12 +1544,7 @@ ADMX Info: Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1537,28 +1564,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1578,12 +1611,7 @@ ADMX Info: Specifies directory where all new applications and updates will be installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1603,28 +1631,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1644,12 +1678,7 @@ ADMX Info: Overrides source location for downloading package content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1669,28 +1698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1710,12 +1745,7 @@ ADMX Info: Specifies the number of seconds between attempts to reestablish a dropped session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1735,28 +1765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1776,12 +1812,7 @@ ADMX Info: Specifies the number of times to retry a dropped session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1801,28 +1832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1842,12 +1879,7 @@ ADMX Info: Specifies that streamed package contents will be not be saved to the local hard disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1867,28 +1899,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1908,12 +1946,7 @@ ADMX Info: If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1933,28 +1966,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1974,12 +2013,7 @@ ADMX Info: Verifies Server certificate revocation status before streaming using HTTPS. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1999,28 +2033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2040,12 +2080,7 @@ ADMX Info: Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2058,16 +2093,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index aa15e81d84..227cc1205e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -14,6 +14,13 @@ manager: dansimp # Policy CSP - AttachmentManager +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -42,31 +49,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -89,12 +103,7 @@ If you disable this policy setting, Windows marks file attachments with their zo If you do not configure this policy setting, Windows marks file attachments with their zone information. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,31 +123,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -161,12 +177,7 @@ If you disable this policy setting, Windows shows the check box and Unblock butt If you do not configure this policy setting, Windows hides the check box and Unblock button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -186,31 +197,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -233,12 +251,7 @@ If you disable this policy setting, Windows does not call the registered antivir If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -251,16 +264,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 5d063b5378..4be64f929b 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Audit -description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out. +description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -206,31 +206,38 @@ ms.date: 09/27/2019 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -244,11 +251,11 @@ ms.date: 09/27/2019 -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. +This policy setting allows you to audit events generated by a failed attempt to sign in to an account that is locked out. -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. -Logon events are essential for understanding user activity and to detect potential attacks. +Sign in events are essential for understanding user activity and to detect potential attacks. Volume: Low. @@ -261,10 +268,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -283,31 +290,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -321,9 +335,9 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit the group membership information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. +When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -335,10 +349,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -357,31 +371,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -395,7 +416,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. @@ -411,10 +432,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -433,31 +454,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -471,10 +499,10 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. +If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. Volume: High. @@ -486,10 +514,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -508,31 +536,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -546,9 +581,9 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. +If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. Volume: High. @@ -560,10 +595,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -582,31 +617,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -620,10 +662,10 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. +This policy setting allows you to audit events generated by the closing of a sign in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to. -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. +If you configure this policy setting, an audit event is generated when a sign in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +If you don't configure this policy setting, no audit event is generated when a sign in session is closed. Volume: Low. @@ -635,10 +677,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -657,31 +699,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -695,13 +744,13 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy setting allows you to audit events generated by user account sign in attempts on the computer. +Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: -- Successful logon attempts. -- Failed logon attempts. -- Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. -- Security identifiers (SIDs) were filtered and not allowed to log on. +- Successful sign in attempts. +- Failed sign in attempts. +- sign in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This most commonly occurs in batch sign in configurations, such as scheduled tasks or when using the RUNAS command. +- Security identifiers (SIDs) were filtered and not allowed to sign in. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -713,10 +762,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -735,31 +784,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -773,7 +829,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. +This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. If you do not configure this policy settings, IAS and NAP user access requests are not audited. @@ -787,10 +843,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure @@ -809,31 +865,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -847,7 +910,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as the following: +This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. @@ -867,10 +930,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -889,31 +952,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -927,9 +997,9 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by special logons, such as the following: -- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). +This policy setting allows you to audit events generated by special logons, such as the following: +- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level. +- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). Volume: Low. @@ -941,10 +1011,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -963,31 +1033,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1001,11 +1078,11 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit user and device claims information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. +User claims are added to a sign in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. +When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -1017,10 +1094,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1039,31 +1116,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1077,7 +1161,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by validation tests on user account logon credentials. +This policy setting allows you to audit events generated by validation tests on user account sign in credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. @@ -1091,10 +1175,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1113,31 +1197,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1151,7 +1242,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. @@ -1166,10 +1257,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1188,31 +1279,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1226,7 +1324,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. @@ -1241,10 +1339,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1263,31 +1361,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1301,7 +1406,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. +This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. @@ -1314,10 +1419,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1336,31 +1441,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1374,7 +1486,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to application groups, such as the following: +This policy setting allows you to audit events generated by changes to application groups as follows: - Application group is created, changed, or deleted. - Member is added or removed from an application group. @@ -1391,10 +1503,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1413,31 +1525,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1451,7 +1570,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. +This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a computer account changes. @@ -1466,10 +1585,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1488,31 +1607,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1526,7 +1652,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to distribution groups, such as the following: +This policy setting allows you to audit events generated by changes to distribution groups as follows: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. @@ -1547,10 +1673,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1569,31 +1695,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1607,7 +1740,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: +This policy setting allows you to audit events generated by other user account changes that are not covered in this category as follows: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: @@ -1627,10 +1760,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1649,31 +1782,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1687,7 +1827,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to security groups, such as the following: +This policy setting allows you to audit events generated by changes to security groups, such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. @@ -1705,10 +1845,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -1727,31 +1867,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1765,8 +1912,8 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes to user accounts. -Events include the following: +This policy setting allows you to audit changes to user accounts. +The events included are as follows: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. @@ -1787,10 +1934,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -1809,31 +1956,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1847,7 +2001,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. +This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. Volume: High. @@ -1860,10 +2014,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1882,31 +2036,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1920,7 +2081,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. +This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. @@ -1936,10 +2097,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1958,31 +2119,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -1996,7 +2164,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object’s properties. @@ -2018,10 +2186,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2040,31 +2208,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2078,7 +2253,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. +This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. If you do not configure this policy setting, no audit event is generated during AD DS replication. @@ -2096,10 +2271,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2118,31 +2293,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2156,7 +2338,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -2171,10 +2353,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2192,31 +2374,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2230,7 +2419,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit when plug and play detects an external device. +This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. @@ -2245,10 +2434,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2266,31 +2455,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2304,7 +2500,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. +This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process is created. @@ -2319,10 +2515,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2340,31 +2536,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2378,7 +2581,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process ends. +This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process ends. @@ -2393,10 +2596,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2414,31 +2617,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2452,7 +2662,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit inbound remote procedure call (RPC) connections. +This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. @@ -2467,10 +2677,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2488,31 +2698,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2526,7 +2743,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by adjusting the privileges of a token. +This policy setting allows you to audit events generated by adjusting the privileges of a token. Volume: High. @@ -2538,10 +2755,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2560,31 +2777,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2598,7 +2822,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. +This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. @@ -2615,10 +2839,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2636,31 +2860,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2674,7 +2905,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. +This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: 1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. @@ -2693,10 +2924,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2715,31 +2946,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2753,7 +2991,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. +This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. AD CS operations include the following: - AD CS startup/shutdown/backup/restore. @@ -2783,10 +3021,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2804,31 +3042,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2842,7 +3087,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. @@ -2859,10 +3104,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2880,31 +3125,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2918,7 +3170,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access a shared folder. +This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. @@ -2935,10 +3187,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2956,31 +3208,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -2994,7 +3253,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). +This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. @@ -3012,10 +3271,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3033,31 +3292,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3071,7 +3337,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). +This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. @@ -3097,10 +3363,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3118,31 +3384,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3156,7 +3429,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). +This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). Volume: High. @@ -3169,10 +3442,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3190,31 +3463,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3228,7 +3508,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. +This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a handle is manipulated. @@ -3246,10 +3526,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3267,31 +3547,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3305,7 +3592,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. +This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. > [!Note] @@ -3321,10 +3608,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3342,31 +3629,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3380,7 +3674,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. +This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. @@ -3403,10 +3697,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3424,31 +3718,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3462,7 +3763,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. +This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. @@ -3480,10 +3781,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3501,31 +3802,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3539,7 +3847,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. +This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. @@ -3554,10 +3862,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3575,31 +3883,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3613,7 +3928,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. +This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. @@ -3638,10 +3953,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3659,31 +3974,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3697,7 +4019,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authentication policy, such as the following: +This policy setting allows you to audit events generated by changes to the authentication policy, such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. @@ -3726,10 +4048,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -3748,31 +4070,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3786,7 +4115,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authorization policy, such as the following: +This policy setting allows you to audit events generated by changes to the authorization policy, such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. @@ -3806,10 +4135,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3828,31 +4157,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3866,7 +4202,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following: +This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. @@ -3885,10 +4221,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3907,31 +4243,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -3945,7 +4288,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. +This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. @@ -3967,10 +4310,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3989,31 +4332,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4027,7 +4377,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: +This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. @@ -4045,10 +4395,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4067,31 +4417,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4105,7 +4462,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes in the security audit policy settings, such as the following: +This policy setting allows you to audit changes in the security audit policy settings, such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. @@ -4128,10 +4485,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -4150,31 +4507,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4188,7 +4552,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). +This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. @@ -4234,10 +4598,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4255,31 +4619,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4304,10 +4675,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4325,31 +4696,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4363,7 +4741,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following: +This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. @@ -4393,10 +4771,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4414,31 +4792,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4452,7 +4837,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the IPsec filter driver, such as the following: +This policy setting allows you to audit events generated by the IPsec filter driver, such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. @@ -4473,10 +4858,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4495,31 +4880,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4533,7 +4925,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit any of the following events: +This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. @@ -4548,10 +4940,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure @@ -4570,31 +4962,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4608,7 +5007,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: +This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. @@ -4623,10 +5022,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -4645,31 +5044,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4683,7 +5089,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events related to security system extensions or services, such as the following: +This policy setting allows you to audit events related to security system extensions or services, such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. @@ -4700,10 +5106,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4722,31 +5128,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -4760,7 +5173,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: +This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. @@ -4777,10 +5190,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure @@ -4792,15 +5205,6 @@ The following are the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 490bc43255..b30980d636 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -59,31 +59,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -97,7 +104,7 @@ manager: dansimp -Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. +Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. @@ -117,31 +124,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -175,31 +189,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -235,31 +256,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -273,7 +301,7 @@ The following list shows the supported values: -Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 +Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 Value type is integer. @@ -297,31 +325,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1NoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -335,7 +370,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. +Allows secondary authentication devices to work with Windows. The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD). @@ -367,31 +402,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -405,7 +447,7 @@ The following list shows the supported values: -Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). +Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". @@ -429,31 +471,38 @@ Available in Windows 10, version 1803. Specifies the list of domains that are al - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -468,7 +517,7 @@ Available in Windows 10, version 1803. Specifies the list of domains that are al > [!Warning] -> This policy is in preview mode only and therefore not meant or recommended for production purposes. +> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes. This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. @@ -501,31 +550,38 @@ Value type is integer. Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -540,7 +596,7 @@ Value type is integer. Supported values: > [!Warning] -> This policy is in preview mode only and therefore not meant or recommended for production purposes. +> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes. "Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. @@ -573,31 +629,38 @@ Value type is integer. Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -631,15 +694,6 @@ Value type is string.
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 0eca05d2bb..0223d28d59 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - Autoplay +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -88,12 +101,7 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,31 +121,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -168,12 +183,7 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -193,31 +203,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -249,12 +266,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,16 +279,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 03fcf174ca..c629f2ed81 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -95,15 +102,6 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 02abb3111c..087a16f215 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -57,31 +57,38 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -107,7 +114,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -140,28 +148,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -190,7 +204,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -223,28 +238,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -273,7 +294,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -306,28 +328,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -384,28 +412,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -462,28 +496,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -540,16 +580,7 @@ Supported values range: 0 - 999
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 6426fba5e8..c209021556 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -52,31 +52,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -114,31 +121,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -176,31 +190,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -234,31 +255,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -272,7 +300,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. +This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. @@ -292,31 +320,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -347,31 +382,38 @@ If this policy is not set or it is deleted, the default local radio name is used - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -385,7 +427,7 @@ If this policy is not set or it is deleted, the default local radio name is used -Added in Windows 10, version 1511. Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. +Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide) @@ -400,31 +442,38 @@ The default value is an empty string. For more information, see [ServicesAllowed - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      +
      @@ -438,7 +487,7 @@ The default value is an empty string. For more information, see [ServicesAllowed -Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. +There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. @@ -458,16 +507,7 @@ For more information on allowed key sizes, refer to Bluetooth Core Specification
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004.
      diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 14cd612597..adb1bec8af 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -201,31 +201,38 @@ ms.localizationpriority: medium - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -272,31 +279,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -351,31 +365,38 @@ To verify AllowAutofill is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -420,31 +441,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -499,31 +527,38 @@ To verify AllowCookies is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -539,7 +574,7 @@ To verify AllowCookies is set to 0 (not allowed): > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. [!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] @@ -570,31 +605,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -648,31 +690,38 @@ To verify AllowDoNotTrack is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -717,31 +766,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -786,31 +842,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -858,31 +921,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -935,31 +1005,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1004,31 +1081,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1077,31 +1161,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1155,31 +1246,38 @@ To verify AllowPasswordManager is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1233,31 +1331,38 @@ To verify AllowPopups is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1311,31 +1416,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1388,31 +1500,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1465,31 +1584,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1540,31 +1666,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1610,31 +1743,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1687,31 +1827,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1764,31 +1911,38 @@ To verify AllowSmartScreen is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1840,31 +1994,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1916,31 +2077,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1988,31 +2156,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -2068,31 +2243,38 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -2143,31 +2325,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2220,31 +2409,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2301,31 +2497,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2385,31 +2588,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2464,31 +2674,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2553,31 +2770,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2631,31 +2855,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -2707,31 +2938,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -2776,31 +3014,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2819,7 +3064,7 @@ Most restricted value: 0 [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -2851,31 +3096,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2904,31 +3156,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2944,7 +3203,7 @@ Supported values: > [!NOTE] -> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only available for Windows for desktop and not supported in Windows Mobile. [!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] @@ -2989,31 +3248,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -3060,31 +3326,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3129,31 +3402,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -3204,31 +3484,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -3274,31 +3561,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -3344,31 +3638,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3412,31 +3713,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3481,31 +3789,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -3556,31 +3871,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3596,7 +3918,7 @@ Supported values: > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. [!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] @@ -3627,31 +3949,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -3705,31 +4034,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3748,7 +4084,7 @@ ADMX Info: [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -3779,31 +4115,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -3857,31 +4200,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -3932,31 +4282,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -4006,31 +4363,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -4049,7 +4413,7 @@ Supported values: > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4079,31 +4443,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -4123,7 +4494,7 @@ By default, a notification will be presented to the user informing them of this With this policy, you can either allow (default) or suppress this notification. > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4142,36 +4513,43 @@ Supported values:
      -**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** +Browser/SyncFavoritesBetweenIEAndMicrosoftEdge - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -4192,7 +4570,7 @@ Supported values: [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4230,31 +4608,38 @@ To verify that favorites are in synchronized between Internet Explorer and Micro - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -4305,31 +4690,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -4367,15 +4759,6 @@ Most restricted value: 0
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 22a1a37ce3..3ac207a7e5 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -36,31 +36,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -97,16 +104,7 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 7e776b0469..17a6da62e3 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - Cellular +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -48,31 +54,39 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      + +
      @@ -86,7 +100,7 @@ manager: dansimp -Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. +This policy setting specifies whether Windows apps can access cellular data. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. @@ -128,31 +142,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -166,7 +187,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -188,31 +209,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -226,7 +254,7 @@ ADMX Info: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -248,31 +276,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -286,7 +321,7 @@ ADMX Info: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -308,31 +343,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -352,12 +394,7 @@ If this policy setting is enabled, a drop-down list box presenting possible valu If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -370,16 +407,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 90a5286d6f..356d8123f7 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -14,6 +14,14 @@ manager: dansimp # Policy CSP - Connectivity +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
      @@ -73,31 +81,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -139,31 +154,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -198,31 +220,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -277,31 +306,38 @@ To validate on mobile devices, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -318,7 +354,7 @@ To validate on mobile devices, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. +Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. @@ -338,31 +374,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -376,7 +419,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -413,31 +456,38 @@ Device that has previously opt-in to MMX will also stop showing on the device li - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      +
      @@ -478,31 +528,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -538,31 +595,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -598,31 +662,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -649,12 +720,7 @@ If you disable or do not configure this policy setting, users can choose to prin Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -674,31 +740,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -723,12 +796,7 @@ If you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -748,31 +816,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -797,12 +872,7 @@ If you disable or do not configure this policy setting, a list of providers are See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -822,31 +892,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -860,7 +937,7 @@ ADMX Info: -Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. Value type is integer. @@ -883,31 +960,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -926,12 +1010,7 @@ This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -951,31 +1030,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -998,12 +1084,7 @@ The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1017,16 +1098,6 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 2009. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b1e5575610..f9aea239a4 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -35,31 +35,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -73,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. +This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. > [!NOTE] > MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. @@ -117,15 +124,6 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index cf333911ba..d4a0c57801 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - CredentialProviders +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -86,17 +99,13 @@ If you enable this policy setting, a domain user can set up and sign in with a c If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. -Note: The user's domain password will be cached in the system vault when using this feature. +> [!NOTE] +> The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -116,31 +125,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -163,12 +179,7 @@ If you disable or don't configure this policy setting, a domain user can set up Note that the user's domain password will be cached in the system vault when using this feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -188,31 +199,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -226,7 +244,7 @@ ADMX Info: -Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. +Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. @@ -241,16 +259,7 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index d4806508e7..a02c13b489 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - CredentialsDelegation +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -83,12 +96,7 @@ If you enable this policy setting, the host supports Restricted Admin or Remote If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,16 +109,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 5fdff42127..0d294e4618 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - CredentialsUI - +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -89,12 +101,7 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,31 +121,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -159,12 +173,7 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,16 +186,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 88e34b4df9..66af935c69 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -108,31 +115,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -164,16 +178,7 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index afbff9a990..ed9a1f87c4 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -99,31 +106,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -150,15 +164,6 @@ Setting used by Windows 8.1 Selective Wipe.
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 652bf56c3c..9fcd657539 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - DataUsage - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -52,31 +57,38 @@ This policy is deprecated in Windows 10, version 1809. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -103,12 +115,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -121,16 +128,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c7445826de..fddac52c0c 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -156,31 +156,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -226,31 +233,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -296,31 +310,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -367,31 +388,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -437,31 +465,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -507,31 +542,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -577,31 +619,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -647,31 +696,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -709,31 +765,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -779,31 +842,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -849,31 +919,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -919,31 +996,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -981,31 +1065,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1051,31 +1142,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1093,7 +1191,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. +This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. Value type is string. @@ -1117,31 +1215,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1159,7 +1264,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. +This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). @@ -1185,31 +1290,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1256,31 +1368,38 @@ Valid values: 0–100 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1338,31 +1457,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1380,7 +1506,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. @@ -1418,31 +1544,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1459,7 +1592,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1488,31 +1621,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1551,31 +1691,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1592,7 +1739,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1614,31 +1761,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1685,31 +1839,38 @@ Valid values: 0–90 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1765,31 +1926,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1845,31 +2013,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -1886,7 +2061,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. @@ -1916,31 +2091,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -1994,31 +2176,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -2035,7 +2224,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. +This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. @@ -2071,31 +2260,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2135,31 +2331,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2199,31 +2402,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2269,31 +2479,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2311,7 +2528,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. +Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. > [!NOTE] > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). @@ -2344,31 +2561,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2419,31 +2643,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2490,31 +2721,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2567,31 +2805,38 @@ Valid values: 0–1380 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2648,31 +2893,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2725,31 +2977,38 @@ Valid values: 0–1380. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2809,31 +3068,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -2888,31 +3154,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -2963,31 +3236,38 @@ Valid values: 0–24. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3036,31 +3316,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -3111,16 +3398,6 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index a1644a0373..b889259061 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -14,6 +14,13 @@ manager: dansimp # Policy CSP - DeliveryOptimization +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -123,31 +130,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -165,7 +179,7 @@ manager: dansimp > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. +Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. The default value is 10. @@ -189,31 +203,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -231,7 +252,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. @@ -260,31 +281,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -332,31 +360,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      +
      @@ -412,31 +447,38 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -450,7 +492,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600). @@ -474,31 +516,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -547,31 +596,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -618,31 +674,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -656,7 +719,7 @@ Supported values: 0 - one month (in seconds) -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. @@ -692,31 +755,38 @@ The following list shows the supported values as number of seconds: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -766,31 +836,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -833,31 +910,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -871,7 +955,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. +Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. @@ -913,31 +997,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      +
      @@ -975,28 +1066,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1041,31 +1138,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1130,31 +1234,38 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      +
      @@ -1211,31 +1322,38 @@ This policy is deprecated because it only applies to uploads to Internet peers ( - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -1253,7 +1371,7 @@ This policy is deprecated because it only applies to uploads to Internet peers ( > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. +Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 500. @@ -1277,31 +1395,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1318,7 +1443,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. +Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. @@ -1342,31 +1467,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1384,7 +1516,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. +Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. > [!NOTE] > If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. @@ -1411,31 +1543,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1453,7 +1592,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. +Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. @@ -1477,31 +1616,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -1519,7 +1665,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. +Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. @@ -1543,31 +1689,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -1585,7 +1738,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. +Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. By default, %SystemDrive% is used to store the cache. @@ -1609,31 +1762,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -1651,7 +1811,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. +Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. @@ -1677,31 +1837,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1715,7 +1882,7 @@ ADMX Info: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. +Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1752,31 +1919,38 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1790,7 +1964,7 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1814,31 +1988,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1852,7 +2033,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option. +Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask (more options will be added in a future release). Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). @@ -1883,31 +2064,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1921,15 +2109,10 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1957,31 +2140,38 @@ This policy allows an IT Admin to define the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -1995,15 +2185,10 @@ This policy allows an IT Admin to define the following: -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2024,16 +2209,6 @@ This policy allows an IT Admin to define the following:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 9a3bcc48ee..1c8ca1f094 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - Desktop - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -36,31 +41,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -81,12 +93,7 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -99,16 +106,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 157279f8f5..a7b099ab6f 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -121,31 +128,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -159,7 +173,7 @@ ADMX Info: -Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. +Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. @@ -187,31 +201,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -225,7 +246,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. +This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. @@ -255,28 +276,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -293,7 +320,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. +Specifies the platform security level at the next reboot. Value type is integer. @@ -315,15 +342,6 @@ The following list shows the supported values:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 35190895c9..2d0bfe0011 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -42,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -106,31 +113,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -169,31 +183,38 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -225,16 +246,7 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 013edacaec..c14144ccd7 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,6 +14,13 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -59,31 +66,38 @@ ms.localizationpriority: medium - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -120,12 +134,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,31 +192,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -216,7 +232,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and > [!div class = "checklist"] > * Device -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. +
      @@ -244,12 +260,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -304,31 +315,38 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -367,12 +385,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -437,31 +450,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -500,12 +520,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -564,31 +579,38 @@ You can also change the evaluation order of device installation policy settings - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -609,12 +631,7 @@ If you enable this policy setting, Windows does not retrieve device metadata for If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -643,31 +660,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -691,12 +715,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -758,31 +777,38 @@ You can also block installation by using a custom profile in Intune. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -808,12 +834,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -878,31 +899,38 @@ For example, this custom profile blocks installation and usage of USB devices wi - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      +
      @@ -916,7 +944,7 @@ For example, this custom profile blocks installation and usage of USB devices wi -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -925,12 +953,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1005,31 +1028,38 @@ with - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1055,12 +1085,7 @@ If you disable or do not configure this policy setting, Windows can install and Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1117,15 +1142,6 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 3df3e81293..0288d5c9c7 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -75,31 +75,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      +
      @@ -139,31 +146,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -204,31 +218,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -247,7 +268,7 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). +> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). @@ -275,31 +296,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -318,7 +346,7 @@ Specifies whether device lock is enabled. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -374,31 +402,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -441,31 +476,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -508,31 +550,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      +
      @@ -546,7 +595,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. +Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. > [!NOTE] > This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. @@ -565,31 +614,38 @@ Value type is a string, which is the full image filepath and filename. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -639,31 +695,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -707,31 +770,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -750,7 +820,7 @@ The number of complex element types (uppercase and lowercase letters, numbers, a > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. PIN enforces the following behavior for desktop and mobile devices: @@ -829,31 +899,38 @@ For additional information about this policy, see [Exchange ActiveSync Policy En - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -872,7 +949,7 @@ Specifies the minimum number or characters required in the PIN or password. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -922,31 +999,38 @@ The following example shows how to set the minimum password length to 4 characte - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -983,31 +1067,38 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1053,31 +1144,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      +
      @@ -1117,15 +1215,6 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 12a6952ffa..d24d5b7075 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -48,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -108,31 +115,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -188,31 +202,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      +
      @@ -248,31 +269,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -323,31 +351,38 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      +
      @@ -391,16 +426,7 @@ To validate on Desktop, do the following:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2ca5164a50..e16f8e14e9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -35,31 +35,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      +
      @@ -111,15 +118,6 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 7d2b8ebb1e..42ade7935c 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark8YesYes
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      +
      @@ -82,7 +89,7 @@ manager: dansimp -Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -107,31 +114,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -145,7 +159,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. +This policy allows IT Admins to set the user's default printer. The policy value is expected to be the name (network host name) of an installed printer. @@ -160,31 +174,38 @@ The policy value is expected to be the name (network host name) of an installed - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -198,7 +219,7 @@ The policy value is expected to be the name (network host name) of an installed -Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings. +Allows IT Admins to prevent user installation of additional printers from the printers settings. @@ -226,31 +247,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      +
      @@ -264,7 +292,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names). +Allows IT Admins to automatically provision printers based on their names (network host names). The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer. @@ -272,16 +300,7 @@ The policy value is expected to be a `````` separated list of printer na
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index af07ab44cf..ab1ce55fca 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -51,28 +51,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -89,7 +95,7 @@ manager: dansimp -Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. +Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. The datatype is a string. @@ -106,28 +112,34 @@ The default value is an empty string. Otherwise, the value should contain the UR - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -144,7 +156,7 @@ The default value is an empty string. Otherwise, the value should contain the UR -Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. +Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. The datatype is a string. @@ -161,28 +173,34 @@ The default value is an empty string. Otherwise, the value should contain a GUID - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -199,7 +217,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID -Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. +Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. The datatype is a string. @@ -216,28 +234,34 @@ The default value is an empty string. Otherwise, the value should contain a URL. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -254,7 +278,7 @@ The default value is an empty string. Otherwise, the value should contain a URL. -Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. +Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. The datatype is a string. @@ -271,28 +295,34 @@ The default value is an empty string. Otherwise, the value should contain the UR - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -309,7 +339,7 @@ The default value is an empty string. Otherwise, the value should contain the UR -Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. +Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. The datatype is an integer. @@ -324,28 +354,34 @@ The datatype is an integer. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -362,7 +398,7 @@ The datatype is an integer. -Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. +Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. The datatype is a string. @@ -372,16 +408,6 @@ The default value is an empty string. Otherwise, the value should contain a URL.
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index a24a91ef51..9c470e1ddf 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - ErrorReporting - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -103,12 +114,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -128,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -173,12 +184,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -198,28 +203,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -247,12 +258,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -272,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -317,12 +328,6 @@ If you enable this policy setting, any additional data requests from Microsoft i If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -342,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -387,12 +398,6 @@ If you enable this policy setting, Windows Error Reporting does not display any If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -405,16 +410,6 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 43366ce6ff..be19cffdee 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -45,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -92,12 +98,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -117,28 +117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -162,12 +168,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -187,28 +187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -232,12 +238,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -257,28 +257,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -302,12 +308,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -320,16 +320,6 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 61abaceb22..79a75e5fb3 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -373,7 +373,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy turns on Find My Device. +This policy turns on Find My Device. When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. @@ -610,7 +610,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. @@ -925,7 +925,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. +This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. @@ -999,7 +999,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. +This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. - User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. - User Setting is changeable on a per user basis. @@ -1078,7 +1078,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. +This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. @@ -1747,16 +1747,5 @@ Supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index e192bd9e82..8e59c287d3 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3NoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -118,15 +124,5 @@ Here is an example:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 82dce114b4..1c0625e677 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - FileExplorer +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -80,12 +92,6 @@ manager: dansimp Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -105,28 +111,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -145,14 +157,6 @@ ADMX Info: Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Turn off heap termination on corruption* @@ -164,16 +168,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index f62143e2a6..8b0c46251d 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -87,16 +93,6 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 615be07c90..1051831b08 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3NoNo
      Businesscross markNoNo
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -74,7 +80,7 @@ manager: dansimp -Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel. +This policy allows an enterprise to configure the default mode for the handwriting panel. The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. @@ -101,16 +107,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8222726809..df389346d7 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -799,6 +799,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -808,28 +814,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -854,12 +866,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +885,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -925,12 +937,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -950,28 +956,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1002,12 +1014,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1074,12 +1086,6 @@ If you disable this setting the user cannot change "User name and passwords on f If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1099,28 +1105,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1145,12 +1157,6 @@ If you enable this policy setting, the certificate address mismatch warning alwa If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1170,28 +1176,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1220,12 +1232,6 @@ If you do not configure this policy setting, it can be configured on the General If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1245,28 +1251,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1293,12 +1305,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1318,28 +1324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1366,12 +1378,6 @@ If you disable this policy setting, users do not receive enhanced suggestions wh If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1402,28 +1408,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1448,12 +1460,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1473,28 +1479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1519,12 +1531,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1544,28 +1550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1591,12 +1603,6 @@ This policy does not affect which security protocols are enabled. If you disable this policy, system defaults will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1616,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1662,12 +1674,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1687,28 +1693,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1735,12 +1747,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1760,28 +1766,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1812,12 +1824,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1837,28 +1843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1889,12 +1901,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1914,28 +1920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1966,12 +1978,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1991,28 +1997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2043,12 +2055,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2068,28 +2074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2120,12 +2132,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2145,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2197,12 +2209,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2222,28 +2228,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2274,12 +2286,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2299,28 +2305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2345,12 +2357,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2370,28 +2376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark7YesYes
      Businesscheck mark7YesYes
      Enterprisecheck mark7YesYes
      Educationcheck mark7YesYes
      @@ -2417,12 +2429,6 @@ This policy setting allows the administrator to enable "Save Target As" context For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2452,28 +2458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2509,12 +2521,6 @@ If you disable or do not configure this policy, users may choose their own site- The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2559,28 +2565,34 @@ Value and index pairs in the SyncML example: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2607,12 +2619,6 @@ If you disable this policy setting, users cannot run or install files with an in If you do not configure this policy, users can choose to run or install files with an invalid signature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2632,28 +2638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2680,12 +2692,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2705,28 +2711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2757,12 +2769,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2782,28 +2788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2834,12 +2846,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2859,28 +2865,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2911,12 +2923,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2936,28 +2942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2984,12 +2996,6 @@ If you disable this policy setting, Internet Explorer will not check server cert If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3009,28 +3015,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3057,12 +3069,6 @@ If you disable this policy setting, Internet Explorer will not check the digital If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3081,28 +3087,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark7YesYes
      Businesscheck mark7YesYes
      Enterprisecheck mark7YesYes
      Educationcheck mark7YesYes
      @@ -3147,12 +3159,6 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge > For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3374,28 +3380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3424,12 +3436,6 @@ If you disable this policy setting, Internet Explorer will not require consisten If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3449,28 +3455,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -3495,12 +3507,6 @@ This setting determines whether IE automatically downloads updated versions of M If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3531,28 +3537,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3579,12 +3591,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3604,28 +3610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3650,12 +3662,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3675,28 +3681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3721,12 +3733,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3746,28 +3752,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -3792,12 +3804,6 @@ If you enable this policy setting, the user cannot use the Compatibility View bu If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3828,28 +3834,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3874,12 +3886,6 @@ If you enable this policy setting, a user cannot set the number of days that Int If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3899,28 +3905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3945,12 +3957,6 @@ If you enable this policy setting, a crash in Internet Explorer will exhibit beh If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3970,28 +3976,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4018,12 +4030,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4043,28 +4049,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4093,12 +4105,6 @@ If you do not configure this policy setting, the user can choose whether to dele If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4118,28 +4124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4164,12 +4176,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4189,28 +4195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4237,12 +4249,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4262,28 +4268,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -4308,12 +4320,6 @@ If you enable this policy setting, the ability to synchronize feeds and Web Slic If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4344,28 +4350,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4394,12 +4406,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4419,28 +4425,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4469,12 +4481,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4494,28 +4500,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -4542,12 +4554,6 @@ If you disable this policy setting, browser geolocation support is turned on. If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4578,28 +4584,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4623,12 +4635,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4646,28 +4652,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark7YesYes
      Businesscheck mark7YesYes
      Enterprisecheck mark7YesYes
      Educationcheck mark7YesYes
      @@ -4699,12 +4711,6 @@ If you disable, or do not configure this policy, all sites are opened using the > Microsoft Edge Stable Channel must be installed for this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4742,28 +4748,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4788,12 +4800,6 @@ If you enable this policy setting, the user cannot continue browsing. If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4813,28 +4819,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4863,12 +4875,6 @@ If you disable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4888,28 +4894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -4938,12 +4950,6 @@ If you disable this policy setting, Internet Explorer 11 will use 32-bit tab pro If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4963,28 +4969,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5009,12 +5021,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5034,28 +5040,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5080,12 +5092,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5105,28 +5111,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5153,12 +5165,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5178,28 +5184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5224,12 +5236,6 @@ If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5249,28 +5255,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5296,12 +5308,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5321,28 +5327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -5369,12 +5381,6 @@ If you disable this policy setting, users are suggested matches when entering We If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5405,28 +5411,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5455,12 +5467,6 @@ If you enable this policy setting, Internet Explorer will not give the user the If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5480,28 +5486,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5531,12 +5543,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5556,28 +5562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5607,12 +5619,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5632,28 +5638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5680,12 +5692,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5705,28 +5711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5757,12 +5769,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5782,28 +5788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5830,12 +5842,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5855,28 +5861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5903,12 +5915,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5928,28 +5934,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -5976,12 +5988,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6001,28 +6007,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6049,12 +6061,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6074,28 +6080,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6120,12 +6132,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6145,28 +6151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6195,12 +6207,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script can perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6220,28 +6226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6268,12 +6280,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6293,28 +6299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6341,12 +6353,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6366,28 +6372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6414,12 +6426,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6439,28 +6445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6487,12 +6499,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6512,28 +6518,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6560,12 +6572,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6585,28 +6591,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6631,12 +6643,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6656,28 +6662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6702,12 +6714,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6727,28 +6733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6775,12 +6787,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6800,28 +6806,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6848,12 +6860,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6873,28 +6879,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6921,12 +6933,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6946,28 +6952,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -6996,12 +7008,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7021,28 +7027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7067,12 +7079,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7092,28 +7098,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7140,12 +7152,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7165,28 +7171,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7215,12 +7227,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7240,28 +7246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7288,12 +7300,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7313,28 +7319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7361,12 +7373,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7386,28 +7392,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7434,12 +7446,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7459,28 +7465,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7505,12 +7517,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7530,28 +7536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7580,12 +7592,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7605,28 +7611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7655,12 +7667,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7680,28 +7686,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7728,12 +7740,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7753,28 +7759,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7801,12 +7813,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7826,28 +7832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7874,12 +7886,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7899,28 +7905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -7949,12 +7961,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7974,28 +7980,34 @@ ADMX Info: - - + + + - + + - + + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Business
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -8015,28 +8027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8069,12 +8087,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8094,28 +8106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8142,12 +8160,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8167,28 +8179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8223,12 +8241,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8248,28 +8260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8296,12 +8314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8321,28 +8333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8369,12 +8387,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8394,28 +8406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8442,12 +8460,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8467,28 +8479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8515,12 +8533,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8540,28 +8552,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8588,12 +8606,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8613,28 +8625,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8661,12 +8679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8686,28 +8698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8732,12 +8750,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8757,28 +8769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8805,12 +8823,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8830,28 +8842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8878,12 +8896,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8903,28 +8915,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -8951,12 +8969,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8976,28 +8988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9024,12 +9042,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9049,28 +9061,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9099,12 +9117,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9124,28 +9136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9172,12 +9190,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9197,28 +9209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9245,12 +9263,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9270,28 +9282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9320,12 +9338,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9345,28 +9357,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9399,12 +9417,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9424,28 +9436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9472,12 +9490,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9497,28 +9509,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark7YesYes
      Businesscheck mark7YesYes
      Enterprisecheck mark7YesYes
      Educationcheck mark7YesYes
      @@ -9553,12 +9571,6 @@ Related policies: For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9596,28 +9608,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9644,12 +9662,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9669,28 +9681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9717,12 +9735,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9742,28 +9754,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9788,12 +9806,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9813,28 +9825,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9861,12 +9879,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9886,28 +9898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -9934,12 +9952,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9959,28 +9971,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10007,12 +10025,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10032,28 +10044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10080,12 +10098,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10105,28 +10117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10155,12 +10173,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10180,28 +10192,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10228,12 +10246,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10253,28 +10265,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10301,12 +10319,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10326,28 +10338,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10376,12 +10394,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10401,28 +10413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10455,12 +10473,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10480,28 +10492,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10528,12 +10546,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10553,28 +10565,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10601,12 +10619,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10626,28 +10638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10674,12 +10692,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10699,28 +10711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10745,12 +10763,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10770,28 +10782,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10818,12 +10836,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10843,28 +10855,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10891,12 +10909,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10916,28 +10928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -10964,12 +10982,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10989,28 +11001,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11037,12 +11055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11062,28 +11074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11112,12 +11130,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11137,28 +11149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11185,12 +11203,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11210,28 +11222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11260,12 +11278,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11285,28 +11297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11339,12 +11357,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11364,28 +11376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11412,12 +11430,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11437,28 +11449,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11491,12 +11509,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11516,28 +11528,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11564,12 +11582,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11589,28 +11601,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11637,12 +11655,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11662,28 +11674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11708,12 +11726,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11733,28 +11745,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11781,12 +11799,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11806,28 +11818,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11854,12 +11872,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11879,28 +11891,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -11927,12 +11945,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11952,28 +11964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12000,12 +12018,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12025,28 +12037,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12075,12 +12093,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12100,28 +12112,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12148,12 +12166,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12173,28 +12185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12223,12 +12241,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12248,28 +12260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12296,12 +12314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12321,28 +12333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12369,12 +12387,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12394,28 +12406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12442,12 +12460,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12467,28 +12479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12513,12 +12531,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12538,28 +12550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12586,12 +12604,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12611,28 +12623,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12659,12 +12677,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12684,28 +12696,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12732,12 +12750,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12757,28 +12769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12805,12 +12823,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12830,28 +12842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12880,12 +12898,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12905,28 +12917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -12953,12 +12971,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12978,28 +12990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13028,12 +13046,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13053,28 +13065,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13107,12 +13125,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13132,28 +13144,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13180,12 +13198,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13205,28 +13217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13253,12 +13271,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13278,28 +13290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13326,12 +13344,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13351,28 +13363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13397,12 +13415,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13422,28 +13434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13470,12 +13488,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13495,28 +13507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13543,12 +13561,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13568,28 +13580,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13616,12 +13634,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13641,28 +13653,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13689,12 +13707,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13714,28 +13726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13764,12 +13782,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13789,28 +13801,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13837,12 +13855,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13862,28 +13874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13912,12 +13930,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13937,28 +13949,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -13991,12 +14009,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14016,28 +14028,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14064,12 +14082,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14089,28 +14101,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14137,12 +14155,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14162,28 +14174,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14210,12 +14228,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14235,28 +14247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14281,12 +14299,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14306,28 +14318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14354,12 +14372,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14379,28 +14391,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14427,12 +14445,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14452,28 +14464,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14500,12 +14518,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14525,28 +14537,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14573,12 +14591,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14598,28 +14610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14648,12 +14666,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14673,28 +14685,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14721,12 +14739,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14746,28 +14758,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14796,12 +14814,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14821,28 +14833,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14875,12 +14893,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14900,28 +14912,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -14948,12 +14966,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14973,28 +14985,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15021,12 +15039,6 @@ If you disable this policy setting, applications can use the MK protocol API. Re If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15046,28 +15058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15094,12 +15112,6 @@ If you disable this policy setting, Internet Explorer processes will allow a MIM If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15119,28 +15131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -15165,12 +15183,6 @@ If you enable this policy setting, you can choose which page to display when the If you disable or do not configure this policy setting, users can select their preference for this behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15204,28 +15216,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15252,12 +15270,6 @@ If you disable this policy setting, the Notification bar will not be displayed f If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15277,28 +15289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15323,12 +15341,6 @@ If you enable this policy setting, the user is not prompted to turn on Windows D If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15348,28 +15360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15394,12 +15412,6 @@ If you enable this policy setting, ActiveX controls cannot be installed on a per If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15419,28 +15431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15467,12 +15485,6 @@ If you disable this policy setting, no zone receives such protection for Interne If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15492,28 +15504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15540,12 +15558,6 @@ If you disable or don't configure this policy setting, users will see the "Run t For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15565,28 +15577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15613,12 +15631,6 @@ If you disable this policy setting, prompting for ActiveX control installations If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15638,28 +15650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15686,12 +15704,6 @@ If you disable this policy setting, prompting will occur for file downloads that If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15711,28 +15723,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15759,12 +15777,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15784,28 +15796,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15832,12 +15850,6 @@ If you disable this policy setting, script code on pages in the zone is prevente If you do not configure this policy setting, script code on pages in the zone is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15857,28 +15869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15905,12 +15923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15930,28 +15942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -15976,12 +15994,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16001,28 +16013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16049,12 +16067,6 @@ If you disable this policy setting, binary and script behaviors are not availabl If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16074,28 +16086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16124,12 +16142,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script cannot perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16149,28 +16161,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16197,12 +16215,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16222,28 +16234,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16270,12 +16288,6 @@ If you disable this policy setting, files are prevented from being downloaded fr If you do not configure this policy setting, files are prevented from being downloaded from the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16295,28 +16307,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16343,12 +16361,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16368,28 +16380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16416,12 +16434,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16441,28 +16453,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16489,12 +16507,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16514,28 +16526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16562,12 +16580,6 @@ If you disable this policy setting, a user's browser that loads a page containin If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16587,28 +16599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16635,12 +16653,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16660,28 +16672,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16706,12 +16724,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16731,28 +16743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16777,12 +16795,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16802,28 +16814,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16850,12 +16868,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16875,28 +16887,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16923,12 +16941,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16948,28 +16960,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -16996,12 +17014,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17021,28 +17033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17071,12 +17089,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17096,28 +17108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17142,12 +17160,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17167,28 +17179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17215,12 +17233,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17240,28 +17252,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17290,12 +17308,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17315,28 +17327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17363,12 +17381,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17388,28 +17400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17436,12 +17454,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed controls cannot be downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17461,28 +17473,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17509,12 +17527,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17534,28 +17546,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17580,12 +17598,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17605,28 +17617,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17655,12 +17673,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17680,28 +17692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17730,12 +17748,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17755,28 +17767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17803,12 +17821,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17828,28 +17840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17876,12 +17894,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17901,28 +17913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -17951,12 +17969,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17976,28 +17988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18030,12 +18048,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18055,28 +18067,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18103,12 +18121,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18128,28 +18140,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18184,12 +18202,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Prompt for username and password. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18209,28 +18221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18257,12 +18275,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18282,28 +18294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18332,12 +18350,6 @@ If you disable this policy setting, controls and plug-ins are prevented from run If you do not configure this policy setting, controls and plug-ins are prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18357,28 +18369,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18405,12 +18423,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will not execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18430,28 +18442,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18480,12 +18498,6 @@ If you disable this policy setting, script interaction is prevented from occurri If you do not configure this policy setting, script interaction is prevented from occurring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18505,28 +18517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18555,12 +18573,6 @@ If you disable this policy setting, scripts are prevented from accessing applets If you do not configure this policy setting, scripts are prevented from accessing applets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18580,28 +18592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18628,12 +18646,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18653,28 +18665,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18701,12 +18719,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18726,28 +18738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18774,12 +18792,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18799,28 +18811,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18847,12 +18865,6 @@ If you disable this policy setting, scripts can continue to create popup windows If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18872,28 +18884,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18918,12 +18936,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18943,28 +18955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -18992,12 +19010,6 @@ This policy is intended to ensure that security zone settings apply uniformly to Also, see the "Security zones: Do not allow users to change policies" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19017,28 +19029,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark7YesYes
      Businesscheck mark7YesYes
      Enterprisecheck mark7YesYes
      Educationcheck mark7YesYes
      @@ -19066,12 +19084,6 @@ If you disable, or not configure this setting, then it opens all sites based on > If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19111,28 +19123,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19157,12 +19175,6 @@ If you enable this policy setting, ActiveX controls are installed only if the Ac If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19182,28 +19194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19230,12 +19248,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19255,28 +19267,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19303,12 +19321,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19328,28 +19340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19374,12 +19392,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19399,28 +19411,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19447,12 +19465,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19472,28 +19484,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19520,12 +19538,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19545,28 +19557,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19593,12 +19611,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19618,28 +19630,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19666,12 +19684,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19691,28 +19703,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19741,12 +19759,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19766,28 +19778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19814,12 +19832,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19839,28 +19851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19887,12 +19905,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19912,28 +19924,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -19962,12 +19980,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19987,28 +19999,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -20041,12 +20059,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Low Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20066,28 +20078,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -20114,12 +20132,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20132,15 +20144,4 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 863153876a..d51018a42a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -44,6 +44,13 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -104,12 +111,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -179,12 +180,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -263,12 +258,6 @@ If you disable or do not configure this policy, each algorithm will assume the * More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -344,12 +333,6 @@ If you enable this policy setting, the client computers in the domain enforce th If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -420,12 +403,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -501,12 +478,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,16 +558,5 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index b7c4328ba0..76dcd8f06b 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -57,28 +57,34 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -95,7 +101,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic -Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -111,28 +117,34 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -149,7 +161,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL -Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. +List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -165,28 +177,34 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -203,7 +221,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s -Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. +Configures the default URL kiosk browsers to navigate on launch and restart. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -219,28 +237,34 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -270,28 +294,34 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -308,7 +338,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki -Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. +Enable/disable kiosk browser's home button. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -324,28 +354,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -362,7 +398,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. -Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). +Enable/disable kiosk browser's navigation buttons (forward/back). > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -378,28 +414,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -416,7 +458,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but -Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. +Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. @@ -427,15 +469,4 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index f7c4cf4015..fd3a136e36 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -74,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. +This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. @@ -98,16 +104,5 @@ This setting supports a range of values between 0 and 1.
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 3bc05c7260..518cd8ad84 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -77,7 +83,7 @@ manager: dansimp -Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. +Enables or Disable Windows license reactivation on managed devices. @@ -105,28 +111,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -143,7 +155,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -164,16 +176,6 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..c14e27b61c 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -5,16 +5,15 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 05/02/2021 +ms.date: 09/29/2021 ms.reviewer: manager: dansimp --- # Policy CSP - LocalPoliciesSecurityOptions -
      @@ -164,11 +163,10 @@ manager: dansimp
      -
      > [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -304,9 +302,8 @@ This security setting determines whether local accounts that are not password pr Default: Enabled. -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +> [!WARNING] +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. This setting does not affect logons that use domain accounts. @@ -524,9 +521,8 @@ Devices: Allow undock without having to log on. This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. -Caution: - -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. +> [!CAUTION] +> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -666,7 +662,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled ->[!Note] +>[!NOTE] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1413,14 +1409,14 @@ If this setting is enabled, the Microsoft network client will not communicate wi Default: Disabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1493,16 +1489,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1728,16 +1724,16 @@ If this setting is enabled, the Microsoft network server will not communicate wi Default: Disabled for member servers. Enabled for domain controllers. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. ->If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1810,15 +1806,15 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Note] +> [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1896,8 +1892,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. ->[!Important] ->This policy has no impact on domain controllers. +> [!IMPORTANT] +> This policy has no impact on domain controllers. @@ -3189,8 +3185,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: - 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - > [!NOTE] - > Use this option only in the most constrained environments. + + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3565,8 +3562,10 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: - 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - > [!NOTE] - > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. @@ -3798,15 +3797,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 5f21ba8658..523f62fb82 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -34,28 +34,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark9YesYes
      Businesscheck mark9YesYes
      Enterprisecheck mark9YesYes
      Educationcheck mark9YesYes
      @@ -72,7 +78,7 @@ manager: dansimp -Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. @@ -313,8 +319,5 @@ To troubleshoot Name/SID lookup APIs: ``` -Footnotes: - -Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 774ac1a21f..3300c86079 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - LockDown -
      @@ -36,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -74,7 +79,7 @@ manager: dansimp -Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. +Allows the user to invoke any system user interface by swiping in from any screen edge using touch. The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. @@ -97,16 +102,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index ce0ddd9868..5804cac072 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -77,7 +83,7 @@ manager: dansimp -Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. +Allows the download and update of map data over metered connections. After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. @@ -100,28 +106,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -138,7 +150,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Disables the automatic download and update of map data. +Disables the automatic download and update of map data. After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. @@ -162,16 +174,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index 8b8b95188e..76a0d00b63 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscross markNoNo
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -74,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. +Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -96,16 +102,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 7f7e8ae961..d08161c676 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -7,15 +7,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/06/2020 +ms.date: 10/12/2021 ms.reviewer: manager: dansimp --- # Policy CSP - MixedReality -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -26,6 +23,9 @@ manager: dansimp
      MixedReality/AADGroupMembershipCacheValidityInDays
      +
      + MixedReality/AutoLogonUser +
      MixedReality/BrightnessButtonDisabled
      @@ -53,28 +53,28 @@ manager: dansimp HoloLens (1st gen) Development Edition - cross mark + ❌ HoloLens (1st gen) Commercial Suite - cross mark + ❌ HoloLens 2 - check mark9 + ✔️ Steps to use this policy correctly: 1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). +1. Create a custom OMA URI-based device configuration that sets this policy value to chosen number of days (> 0) and assign it to HoloLens devices. 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays 1. The value can be between min / max allowed. 1. Enroll HoloLens devices and verify both configurations get applied to the device. 1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. 1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. > [!NOTE] > Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. @@ -82,6 +82,50 @@ Steps to use this policy correctly:
      + +**MixedReality/AutoLogonUser** + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      HoloLens (1st gen) Development Edition
      HoloLens (1st gen) Commercial Suite
      HoloLens 2✔️
      + + +This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login. + +When the policy is set to a non-empty value, it specifies the email address of the auto log on user. The specified user must logon to the device at least once to enable autologon. + +The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser` + + +String value +- User with the same email address will have autologon enabled. + +On a device where this policy is configured, the user specified in the policy will need to log on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log on as a different user, the policy must first be disabled. + +> [!NOTE] +> +> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior. +> - Auto-logon is only supported for MSA and AAD users. + + +
      + [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -117,15 +161,15 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60 HoloLens (1st gen) Development Edition - cross mark + ❌ HoloLens (1st gen) Commercial Suite - cross mark + ❌ HoloLens 2 - check mark9 + ✔️ @@ -170,15 +214,15 @@ The following list shows the supported values: HoloLens (1st gen) Development Edition - cross mark + ❌ HoloLens (1st gen) Commercial Suite - cross mark + ❌ HoloLens 2 - check mark9 + ✔️ @@ -224,15 +268,15 @@ The following list shows the supported values: HoloLens (1st gen) Development Edition - cross mark + ❌ HoloLens (1st gen) Commercial Suite - cross mark + ❌ HoloLens 2 - check mark9 + ✔️ @@ -277,15 +321,15 @@ The following list shows the supported values: HoloLens (1st gen) Development Edition - cross mark + ❌ HoloLens (1st gen) Commercial Suite - cross mark + ❌ HoloLens 2 - check mark9 + ✔️ @@ -319,9 +363,4 @@ The following list shows the supported values:
      -Footnotes: - -- 9 - Available in Windows 10, version 20H2. - - diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index d464f4c063..0cbb8cd1b3 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -42,6 +42,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -51,28 +57,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -91,12 +103,6 @@ manager: dansimp -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -114,28 +120,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -154,12 +166,7 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,28 +184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -217,12 +230,7 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -240,28 +248,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -280,12 +294,7 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -303,28 +312,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -343,12 +358,6 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -366,28 +375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -406,12 +421,6 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -422,16 +431,6 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index d4a5030052..00d3582526 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - MSSLegacy -
      @@ -36,6 +35,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -85,12 +96,6 @@ manager: dansimp -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -108,28 +113,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -148,12 +159,7 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -171,28 +177,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -211,12 +223,6 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -234,28 +240,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -274,12 +286,6 @@ ADMX Info: -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -290,16 +296,7 @@ ADMX Info:
      -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 9c58b25ef3..1fd89a2f03 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Multitasking -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -37,28 +34,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark9YesYes
      Businesscheck mark9YesYes
      Enterprisecheck mark9YesYes
      Educationcheck mark9YesYes
      @@ -115,17 +118,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. - diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 8646c8830d..922e55784c 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -57,28 +57,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -117,28 +123,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -190,28 +202,34 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -249,28 +267,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -309,28 +333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -370,28 +400,34 @@ Here are the steps to create canonical domain names: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -430,28 +466,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -489,28 +531,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -542,15 +590,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 9bbe04d477..955af06501 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -38,28 +38,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markNoNo
      Businesscheck markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -89,28 +95,34 @@ This policy setting provides the list of URLs (separated by Unicode character 0x - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markNoNo
      Businesscheck markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index b9cb69c43d..643ef3e681 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -42,28 +42,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -80,7 +86,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). +This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. @@ -123,28 +129,34 @@ Validation: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -161,7 +173,7 @@ Validation: -Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. +Boolean value that turns off notification mirroring. For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. @@ -193,28 +205,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -231,7 +249,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy setting turns off tile notifications. +This policy setting turns off tile notifications. If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. @@ -262,15 +280,5 @@ Validation:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index c9c793a619..367d969417 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -90,6 +90,13 @@ manager: dansimp
      +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -99,28 +106,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -144,12 +157,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat If you disable this policy setting, standby states (S1-S3) are not allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -169,28 +176,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -214,12 +227,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat If you disable this policy setting, standby states (S1-S3) are not allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -239,28 +246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -277,7 +290,7 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display. +This policy setting allows you to specify the period of inactivity before Windows turns off the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. @@ -286,12 +299,6 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -311,28 +318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -349,7 +362,7 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display. +This policy setting allows you to specify the period of inactivity before Windows turns off the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. @@ -358,12 +371,6 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -383,28 +390,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -422,7 +435,7 @@ ADMX Info: -Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. @@ -457,28 +470,34 @@ Supported values: 0-100. The default is 70. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -495,7 +514,7 @@ Supported values: 0-100. The default is 70. -Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. @@ -530,28 +549,34 @@ Supported values: 0-100. The default is 70. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -568,7 +593,7 @@ Supported values: 0-100. The default is 70. -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. +This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. @@ -577,12 +602,6 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -602,28 +621,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -640,7 +665,7 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. +This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. @@ -649,12 +674,7 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -674,28 +694,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -719,12 +745,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -744,28 +764,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -789,12 +815,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -814,28 +834,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -852,7 +878,7 @@ ADMX Info: -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. If you enable this policy setting, you must select the desired action. @@ -893,28 +919,34 @@ The following are the supported lid close switch actions (on battery): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -931,7 +963,7 @@ The following are the supported lid close switch actions (on battery): -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. If you enable this policy setting, you must select the desired action. @@ -972,28 +1004,34 @@ The following are the supported lid close switch actions (plugged in): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1010,7 +1048,7 @@ The following are the supported lid close switch actions (plugged in): -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. +This policy setting specifies the action that Windows takes when a user presses the Power button. If you enable this policy setting, you must select the desired action. @@ -1051,28 +1089,34 @@ The following are the supported Power button actions (on battery): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1089,7 +1133,7 @@ The following are the supported Power button actions (on battery): -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. +This policy setting specifies the action that Windows takes when a user presses the Power button. If you enable this policy setting, you must select the desired action. @@ -1130,28 +1174,34 @@ The following are the supported Power button actions (plugged in): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1168,7 +1218,7 @@ The following are the supported Power button actions (plugged in): -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. +This policy setting specifies the action that Windows takes when a user presses the Sleep button. If you enable this policy setting, you must select the desired action. @@ -1209,28 +1259,34 @@ The following are the supported Sleep button actions (on battery): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1247,7 +1303,7 @@ The following are the supported Sleep button actions (on battery): -Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. +This policy setting specifies the action that Windows takes when a user presses the Sleep button. If you enable this policy setting, you must select the desired action. @@ -1288,28 +1344,34 @@ The following are the supported Sleep button actions (plugged in): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1326,7 +1388,7 @@ The following are the supported Sleep button actions (plugged in): -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. +This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. @@ -1335,12 +1397,6 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1360,28 +1416,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1398,7 +1460,7 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. +This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. @@ -1407,12 +1469,6 @@ If you disable or do not configure this policy setting, users control this setti If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1432,28 +1488,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1470,7 +1532,7 @@ ADMX Info: -Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. +This policy setting allows you to turn off hybrid sleep. If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). @@ -1508,28 +1570,34 @@ The following are the supported values for Hybrid sleep (on battery): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1546,7 +1614,7 @@ The following are the supported values for Hybrid sleep (on battery): -Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. +This policy setting allows you to turn off hybrid sleep. If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). @@ -1584,28 +1652,34 @@ The following are the supported values for Hybrid sleep (plugged in): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1622,7 +1696,7 @@ The following are the supported values for Hybrid sleep (plugged in): -Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. @@ -1660,28 +1734,34 @@ Default value for unattended sleep timeout (on battery): - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1698,7 +1778,7 @@ Default value for unattended sleep timeout (on battery): -Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. @@ -1729,17 +1809,6 @@ Default value for unattended sleep timeout (plugged in):
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 90268db913..3902457217 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -33,6 +33,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -42,28 +48,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -83,29 +95,34 @@ manager: dansimp This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. + +- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +- Windows Vista client computers can point and print to any server. + +- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + +- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + +- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + +- Windows Vista client computers can create a printer connection to any server using Point and Print. + +- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + +- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + +- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + +- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -116,8 +133,9 @@ ADMX Info: -Example -``` +Example: + +```xml Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions Data type: String Value: @@ -137,28 +155,34 @@ Data type: String Value: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -178,30 +202,34 @@ Data type: String Value: This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. + +- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +- Windows Vista client computers can point and print to any server. + +- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + +- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + +- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + +- Windows Vista client computers can create a printer connection to any server using Point and Print. + +- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + +- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + +- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + +- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Point and Print Restrictions* @@ -220,28 +248,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -267,12 +301,6 @@ If you disable this setting, this computer's shared printers cannot be published Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -285,16 +313,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 681623a2d3..2bd04dd32e 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -303,28 +303,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -367,28 +373,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -405,7 +417,7 @@ The following list shows the supported values: -Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. Most restricted value is 0. @@ -435,28 +447,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -503,28 +521,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -541,7 +565,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Enables or disables the Advertising ID. +Enables or disables the Advertising ID. Most restricted value is 0. @@ -572,28 +596,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -647,28 +677,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -685,7 +721,7 @@ ADMX Info: -Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. +Allows IT Admins to allow Apps/OS to publish to the activity feed. @@ -713,28 +749,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -751,7 +793,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. +Specifies whether Windows apps can access account information. Most restricted value is 2. @@ -784,28 +826,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -822,7 +870,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -844,28 +892,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -882,7 +936,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -904,28 +958,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -942,7 +1002,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -964,28 +1024,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      @@ -1001,8 +1067,7 @@ ADMX Info:
      - -Added in Windows 10, version 1903. + > [!NOTE] > Currently, this policy is supported only in HoloLens 2. @@ -1038,28 +1103,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      @@ -1076,7 +1147,6 @@ The following list shows the supported values: -Added in Windows 10, version 1903. > [!NOTE] > Currently, this policy is supported only in HoloLens 2. @@ -1107,28 +1177,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      @@ -1145,7 +1221,6 @@ ADMX Info: -Added in Windows 10, version 1903. > [!NOTE] > Currently, this policy is supported only in HoloLens 2. @@ -1176,28 +1251,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscross markNoNo
      Enterprisecross markNoNo
      Educationcross markNoNo
      @@ -1213,8 +1294,7 @@ ADMX Info:
      - -Added in Windows 10, version 1903. + > [!NOTE] > Currently, this policy is supported only in HoloLens 2. @@ -1246,28 +1326,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1284,7 +1370,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. +Specifies whether Windows apps can access the calendar. Most restricted value is 2. @@ -1317,28 +1403,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1355,7 +1447,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -1377,28 +1469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1415,7 +1513,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -1437,28 +1535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1475,7 +1579,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -1497,28 +1601,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1535,7 +1645,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. +Specifies whether Windows apps can access call history. Most restricted value is 2. @@ -1568,28 +1678,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1606,7 +1722,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -1628,28 +1744,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1666,7 +1788,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -1688,28 +1810,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1726,7 +1854,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -1748,28 +1876,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1786,7 +1920,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. +Specifies whether Windows apps can access the camera. Most restricted value is 2. @@ -1819,28 +1953,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1857,7 +1997,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -1879,28 +2019,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1917,7 +2063,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -1939,28 +2085,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1977,7 +2129,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -1999,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2037,7 +2195,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. +Specifies whether Windows apps can access contacts. Most restricted value is 2. @@ -2070,28 +2228,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2108,7 +2272,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -2130,28 +2294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2168,7 +2338,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -2190,28 +2360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2228,7 +2404,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -2250,28 +2426,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2288,7 +2470,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access email. +Specifies whether Windows apps can access email. Most restricted value is 2. @@ -2321,28 +2503,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2359,7 +2547,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -2381,28 +2569,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2419,7 +2613,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -2441,28 +2635,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2479,7 +2679,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -2501,28 +2701,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2552,28 +2758,34 @@ This policy setting specifies whether Windows apps can access the eye tracker. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2603,28 +2815,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2654,28 +2872,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2705,28 +2929,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2743,7 +2973,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use -Added in Windows 10, version 1607. Specifies whether Windows apps can access location. +Specifies whether Windows apps can access location. Most restricted value is 2. @@ -2776,28 +3006,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2814,7 +3050,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -2836,28 +3072,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2874,7 +3116,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -2896,28 +3138,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2934,7 +3182,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -2956,28 +3204,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2994,7 +3248,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). +Specifies whether Windows apps can read or send messages (text or MMS). Most restricted value is 2. @@ -3027,28 +3281,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3065,7 +3325,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -3087,28 +3347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3125,7 +3391,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -3147,28 +3413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3185,7 +3457,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -3207,28 +3479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3245,7 +3523,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. +Specifies whether Windows apps can access the microphone. Most restricted value is 2. @@ -3278,28 +3556,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3316,7 +3600,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -3338,28 +3622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3376,7 +3666,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -3398,28 +3688,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3436,7 +3732,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -3458,28 +3754,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3496,7 +3798,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. +Specifies whether Windows apps can access motion data. Most restricted value is 2. @@ -3529,28 +3831,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3567,7 +3875,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -3589,28 +3897,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3627,7 +3941,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -3649,28 +3963,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3687,7 +4007,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -3709,28 +4029,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3747,7 +4073,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. +Specifies whether Windows apps can access notifications. Most restricted value is 2. @@ -3780,28 +4106,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3818,7 +4150,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -3840,28 +4172,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3878,7 +4216,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -3900,28 +4238,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3938,7 +4282,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -3960,28 +4304,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3998,7 +4348,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. +Specifies whether Windows apps can make phone calls. Most restricted value is 2. @@ -4031,28 +4381,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4069,7 +4425,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -4091,28 +4447,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4129,7 +4491,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -4151,28 +4513,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4189,7 +4557,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -4211,28 +4579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4249,7 +4623,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. +Specifies whether Windows apps have access to control radios. Most restricted value is 2. @@ -4282,28 +4656,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4320,7 +4700,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -4342,28 +4722,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4380,7 +4766,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -4402,28 +4788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4440,7 +4832,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -4462,28 +4854,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -4500,7 +4898,7 @@ ADMX Info: -Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. +Specifies whether Windows apps can access tasks. @@ -4522,28 +4920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -4560,7 +4964,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -4582,28 +4986,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -4620,7 +5030,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -4642,28 +5052,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -4680,7 +5096,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -4702,28 +5118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4740,7 +5162,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. +Specifies whether Windows apps can access trusted devices. Most restricted value is 2. @@ -4773,28 +5195,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4811,7 +5239,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -4833,28 +5261,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4871,7 +5305,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -4893,28 +5327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -4931,7 +5371,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -4953,28 +5393,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark6YesYes
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -5021,28 +5467,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark6YesYes
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -5089,28 +5541,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5127,7 +5585,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. +Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. Most restricted value is 2. @@ -5160,28 +5618,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5198,7 +5662,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -5220,28 +5684,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5258,7 +5728,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -5280,28 +5750,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5318,7 +5794,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -5340,28 +5816,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5378,7 +5860,7 @@ ADMX Info: -Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. +Specifies whether Windows apps can run in the background. Most restricted value is 2. @@ -5413,28 +5895,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5451,7 +5939,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -5473,28 +5961,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5511,7 +6005,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -5533,28 +6027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark2YesYes
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -5571,7 +6071,7 @@ ADMX Info: -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -5593,28 +6093,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -5631,7 +6137,7 @@ ADMX Info: -Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. +Specifies whether Windows apps can sync with devices. Most restricted value is 2. @@ -5664,28 +6170,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -5702,7 +6214,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -5724,28 +6236,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -5762,7 +6280,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -5784,28 +6302,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark1YesYes
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -5822,7 +6346,7 @@ ADMX Info: -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -5844,28 +6368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark3YesYes
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -5882,7 +6412,7 @@ ADMX Info: -Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. +Allows It Admins to enable publishing of user activities to the activity feed. @@ -5910,28 +6440,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark5YesYes
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -5962,16 +6498,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index a515e2b28f..ae89315829 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - RemoteAssistance - -
      @@ -36,6 +34,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -96,12 +106,6 @@ If you disable this policy setting, the user sees the default warning message. If you do not configure this policy setting, the user sees the default warning message. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -121,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -168,12 +178,6 @@ If you disable this policy setting, log files are not generated. If you do not configure this setting, application-based settings are used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -193,28 +197,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -248,12 +258,6 @@ The "Select the method for sending email invitations" setting specifies which em If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -273,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -351,12 +361,6 @@ Port 135:TCP Allow Remote Desktop Exception -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -369,16 +373,4 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - - diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index a33ad83d33..ca8fb82fd6 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -42,6 +42,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -51,28 +57,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -102,12 +114,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -127,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -182,12 +194,6 @@ Important FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -207,28 +213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -256,12 +268,6 @@ If you disable this policy setting, client drive redirection is always allowed. If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -281,28 +287,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -326,12 +338,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -351,28 +357,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -402,12 +414,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -427,28 +433,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -478,12 +490,6 @@ If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used for administering and configuring Remote Desktop Services. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -496,16 +502,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index fae950baec..9907ee6993 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -69,6 +69,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -78,28 +84,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -123,12 +135,6 @@ If you enable this policy setting, the WinRM client uses Basic authentication. I If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -148,28 +154,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -193,12 +205,6 @@ If you enable this policy setting, the WinRM service accepts Basic authenticatio If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -218,28 +224,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -263,12 +275,6 @@ If you enable this policy setting, the WinRM client uses CredSSP authentication. If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -288,28 +294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -333,12 +345,6 @@ If you enable this policy setting, the WinRM service accepts CredSSP authenticat If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -358,28 +364,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -416,12 +428,6 @@ Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -441,28 +447,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -486,12 +498,6 @@ If you enable this policy setting, the WinRM client sends and receives unencrypt If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -511,28 +517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -556,12 +568,6 @@ If you enable this policy setting, the WinRM client sends and receives unencrypt If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -581,28 +587,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -626,12 +638,6 @@ If you enable this policy setting, the WinRM client does not use Digest authenti If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -651,28 +657,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -696,12 +708,6 @@ If you enable this policy setting, the WinRM client does not use Negotiate authe If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -721,28 +727,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -766,12 +778,6 @@ If you enable this policy setting, the WinRM service does not accept Negotiate a If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -791,28 +797,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -838,12 +850,6 @@ If you disable or do not configure this policy setting, the WinRM service will a If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -863,28 +869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -914,12 +926,6 @@ If HardeningLevel is set to Relaxed (default value), any request containing an i If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -939,28 +945,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -984,12 +996,6 @@ If you enable this policy setting, the WinRM client uses the list specified in T If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1009,28 +1015,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1058,12 +1070,6 @@ When certain port 80 listeners are migrated to WinRM 2.0, the listener port numb A listener might be automatically created on port 80 to ensure backward compatibility. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1083,28 +1089,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1132,12 +1144,6 @@ When certain port 443 listeners are migrated to WinRM 2.0, the listener port num A listener might be automatically created on port 443 to ensure backward compatibility. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1150,16 +1156,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 493027a454..97e1b5f232 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - RemoteProcedureCall -
      @@ -30,6 +29,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -88,12 +99,6 @@ If you do not configure this policy setting, it remains disabled. RPC clients w Note: This policy will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -161,21 +172,16 @@ If you do not configure this policy setting, it remains disabled. The RPC serve If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. --- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. +- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. --- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. +- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. --- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. +- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,16 +194,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index ac6201611a..0b5ec4947a 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - RemoteShell -
      @@ -45,6 +44,12 @@ manager: dansimp
      +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
      @@ -54,28 +59,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -99,12 +110,6 @@ If you enable or do not configure this policy setting, new remote shell connecti If you set this policy to ‘disabled’, new remote shell connections are rejected by the server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -124,28 +129,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -171,12 +182,6 @@ If you enable this policy setting, the new shell connections are rejected if the If you disable or do not configure this policy setting, the default number is five users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -196,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -243,12 +254,6 @@ If you enable this policy setting, the server will wait for the specified amount If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -268,28 +273,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -315,12 +326,6 @@ If you enable this policy setting, the remote operation is terminated when a new If you disable or do not configure this policy setting, the value 150 is used by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -340,28 +345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -385,12 +396,6 @@ If you enable this policy setting, you can specify any number from 0 to 0x7FFFFF If you disable or do not configure this policy setting, the limit is five processes per shell. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -410,28 +415,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -457,12 +468,6 @@ If you enable this policy setting, the user cannot open new remote shells if the If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -482,28 +487,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -523,12 +534,6 @@ ADMX Info: This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -541,16 +546,5 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 6e60b430b9..96c9e4ff03 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - RestrictedGroups > [!IMPORTANT] -> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
      @@ -38,28 +38,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -132,7 +138,8 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and Here's an example: -``` + +```xml @@ -144,13 +151,18 @@ Here's an example: ``` + where: + - `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. + - `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. + - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group. > [!NOTE] > Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example. + @@ -171,15 +183,4 @@ The following table describes how this policy setting behaves in different Windo
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index b3290f82dc..8eb0dbe3ea 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Search -
      @@ -72,28 +71,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -110,7 +115,7 @@ manager: dansimp -Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. +Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. @@ -138,28 +143,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -180,28 +191,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -252,28 +269,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -324,28 +347,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -403,28 +432,34 @@ This policy has been deprecated. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -472,28 +507,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -523,28 +564,34 @@ Allow Windows indexer. Value type is integer. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -592,28 +639,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -658,28 +711,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -728,28 +787,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -766,7 +831,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Don't search the web or display web results in Search. +Don't search the web or display web results in Search. This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. @@ -799,28 +864,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -869,28 +940,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -929,16 +1006,6 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 13eb6fdc71..dc8d037b70 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -62,28 +62,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -120,28 +126,33 @@ The following list shows the supported values: - - + + + - + + - + + - + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Business
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -178,28 +189,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -236,28 +253,33 @@ The following list shows the supported values: - - + + + - + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -277,7 +299,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. +Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. @@ -305,28 +327,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -343,7 +371,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Configures the use of passwords for Windows features. +Configures the use of passwords for Windows features. > [!Note] > This policy is only supported in Windows 10 S. @@ -367,28 +395,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -431,28 +465,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -470,7 +510,7 @@ The following list shows the supported values: -Added in Windows 10, version 1809. This policy controls the Admin Authentication requirement in RecoveryEnvironment. +This policy controls the Admin Authentication requirement in RecoveryEnvironment. Supported values: - 0 - Default: Keep using default(current) behavior @@ -520,28 +560,34 @@ If the MDM policy is set to "NoRequireAuthentication" (2) - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -584,28 +630,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -642,28 +694,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck markYesYes
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -705,15 +763,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 8f43acb2ab..accdd88186 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -34,28 +34,34 @@ ms.date: 09/27/2019 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procross markNoNo
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -113,15 +119,4 @@ Supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 7152934f2d..69c7b52c83 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Settings - -
      @@ -72,28 +70,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -137,28 +141,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -198,28 +208,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -256,28 +272,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -318,28 +340,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck markYesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -380,28 +408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -442,28 +476,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -504,28 +544,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -566,28 +612,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -624,28 +676,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -686,28 +744,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -744,28 +808,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -782,7 +852,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. +Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -812,28 +882,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -851,18 +927,18 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. +Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: showonly:about;bluetooth -If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. +If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. The format of the PageVisibilityList value is as follows: - The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one which hides the given pages. +- There are two variants: one that shows only the given pages and one that hides the given pages. - The first variant starts with the string "showonly:" and the second with the string "hide:". - Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. - Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". @@ -888,7 +964,7 @@ ADMX Info: -To validate on Desktop, do the following: +To validate on Desktop, use the following steps: 1. Open System Settings and verify that the About page is visible and accessible. 2. Configure the policy with the following string: "hide:about". @@ -898,15 +974,5 @@ To validate on Desktop, do the following:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 3f4e279889..e7db6a71e2 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - SmartScreen -
      @@ -42,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -80,7 +85,7 @@ manager: dansimp -Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. +Allows IT Admins to control whether users are allowed to install apps from places other than the Store. > [!Note] > This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.

      This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. @@ -111,28 +116,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -149,7 +160,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. +Allows IT Admins to configure SmartScreen for Windows. @@ -177,28 +188,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -215,7 +232,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. +Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. @@ -237,16 +254,4 @@ The following list shows the supported values:

      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - - diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 59b7531703..40c0182de2 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Speech -
      @@ -36,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -74,7 +79,7 @@ manager: dansimp -Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). +Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). @@ -95,16 +100,6 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 6e910385fe..d4dcbc0b56 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -122,28 +122,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -160,7 +166,7 @@ manager: dansimp -Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. +This policy controls the visibility of the Documents shortcut on the Start menu. @@ -181,28 +187,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -219,7 +231,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. +This policy controls the visibility of the Downloads shortcut on the Start menu. @@ -240,28 +252,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -278,7 +296,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. +This policy controls the visibility of the File Explorer shortcut on the Start menu. @@ -299,28 +317,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -337,7 +361,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. +This policy controls the visibility of the HomeGroup shortcut on the Start menu. @@ -358,28 +382,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -396,7 +426,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. +This policy controls the visibility of the Music shortcut on the Start menu. @@ -417,28 +447,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -455,7 +491,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. +This policy controls the visibility of the Network shortcut on the Start menu. @@ -476,28 +512,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -514,7 +556,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. +This policy controls the visibility of the PersonalFolder shortcut on the Start menu. @@ -535,28 +577,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -573,7 +621,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. +This policy controls the visibility of the Pictures shortcut on the Start menu. @@ -594,28 +642,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -632,7 +686,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. +This policy controls the visibility of the Settings shortcut on the Start menu. @@ -653,28 +707,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -691,7 +751,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. +This policy controls the visibility of the Videos shortcut on the Start menu. @@ -712,28 +772,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -785,28 +851,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -852,28 +924,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -927,28 +1005,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -965,7 +1049,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. +Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. @@ -992,28 +1076,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1034,7 +1124,7 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps. +Allows IT Admins to configure Start by hiding most used apps. @@ -1065,28 +1155,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1103,7 +1199,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. +Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. > [!NOTE] @@ -1134,28 +1230,34 @@ To validate on Laptop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1172,7 +1274,7 @@ To validate on Laptop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. +Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. @@ -1199,28 +1301,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1237,7 +1345,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. +Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. Value type is integer. @@ -1267,28 +1375,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1308,7 +1422,7 @@ The following list shows the supported values: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing. +Allows IT Admins to configure Start by hiding the Power button from appearing. @@ -1335,28 +1449,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1376,7 +1496,7 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing. +Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing. @@ -1410,28 +1530,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1452,7 +1578,7 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps. +Allows IT Admins to configure Start by hiding recently added apps. @@ -1491,28 +1617,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1529,7 +1661,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. +Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. @@ -1556,28 +1688,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1594,7 +1732,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. +Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. @@ -1621,28 +1759,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1659,7 +1803,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. +Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. @@ -1686,28 +1830,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1724,7 +1874,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. +Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. @@ -1751,28 +1901,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1789,7 +1945,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. +Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. @@ -1816,28 +1972,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1857,7 +2019,7 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile. +Allows IT Admins to configure Start by hiding the user tile. @@ -1885,28 +2047,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1934,7 +2102,7 @@ Here is additional SKU support information: |Windows 10, version 1703 and later |Enterprise, Education, Business | |Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | -Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. +This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. > [!IMPORTANT] > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. @@ -1961,28 +2129,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1999,7 +2173,7 @@ To validate on Desktop, do the following: -Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. +Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. @@ -2029,28 +2203,34 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2069,7 +2249,7 @@ To validate on Desktop, do the following: > [!IMPORTANT] -> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) +> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) Here is additional SKU support information: @@ -2095,15 +2275,4 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index ecd7532d32..d470d7977b 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Storage -
      @@ -60,28 +59,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -98,7 +103,7 @@ manager: dansimp -Added in Windows 10, version 1709. Allows disk health model updates. +Allows disk health model updates. Value type is integer. @@ -128,28 +133,34 @@ The following list shows the supported values: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -201,28 +212,34 @@ ADMX Info: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -277,28 +294,34 @@ ADMX Info: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -353,28 +376,34 @@ ADMX Info: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -429,28 +458,34 @@ ADMX Info: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -511,28 +546,34 @@ ADMX Info: - - + + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Home
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -587,28 +628,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -657,28 +704,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -729,15 +782,5 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b033f662cc..04cccacbb5 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -114,24 +114,29 @@ manager: dansimp - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -182,24 +187,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6 11YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -294,24 +304,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5 11YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -363,24 +378,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -419,24 +439,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -480,24 +505,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2 11YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -514,7 +544,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts. +Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts. This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). @@ -555,24 +585,29 @@ To verify if System/AllowFontProviders is set to true: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -647,24 +682,29 @@ If you disable this policy setting, devices may not appear in Microsoft Managed - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -703,24 +743,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -839,24 +884,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6 11YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -913,24 +963,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1000,24 +1055,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1072,24 +1132,29 @@ ADMX Info: - - + + + - + + - 11 + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5 YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -1142,24 +1207,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4 11YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1205,24 +1275,29 @@ The following list shows the supported values: - - + + + - + + - 11 + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4 YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1273,24 +1348,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5 11YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -1340,24 +1420,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5 11YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -1407,24 +1492,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3 11YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1463,24 +1553,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2 11YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1497,7 +1592,7 @@ ADMX Info: -Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: +Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users cannot access OneDrive from the OneDrive app or file picker. * Microsoft Store apps cannot access OneDrive using the WinRT API. @@ -1541,24 +1636,29 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark 11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1613,24 +1713,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark4YesYes
      Procheck mark4 11YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1647,7 +1752,7 @@ ADMX Info: -Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. +When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. @@ -1667,24 +1772,29 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3 11YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1743,24 +1853,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark 11YesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1801,24 +1916,29 @@ ADMX Info: - - + + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6 11YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1865,18 +1985,4 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. -- 10 - Available in Windows 10, version 21H1. -- 11 - Also applies to Windows 10 Business. - diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 1e4e35d190..016911d154 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -51,28 +51,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -89,7 +95,7 @@ manager: dansimp -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -108,28 +114,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -146,7 +158,7 @@ GP Info: -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -165,28 +177,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -203,7 +221,7 @@ GP Info: -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -222,28 +240,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -260,7 +284,7 @@ GP Info: -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -279,28 +303,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -317,7 +347,7 @@ GP Info: -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -336,28 +366,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -374,7 +410,7 @@ GP Info: -Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -386,16 +422,6 @@ GP Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index ce84398393..2ad2b1c6d6 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -35,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscross markNoNo
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -95,16 +101,6 @@ When the policy is set to 0 - users CANNOT execute 'End task' on processes in Ta
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index ab6ec4d46c..b76c0948ac 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -74,21 +80,11 @@ manager: dansimp -Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled. +This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled.
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 444e70c323..77bf576304 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -123,7 +123,7 @@ manager: dansimp -Added in Windows 10, version 1803. Placeholder only. Do not use in production environment. +Placeholder only. Do not use in production environment. @@ -136,28 +136,34 @@ Added in Windows 10, version 1803. Placeholder only. Do not use in production e - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -200,28 +206,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -262,28 +274,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -326,28 +344,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -391,28 +415,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -455,28 +485,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -519,28 +555,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -583,28 +625,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -624,7 +672,7 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. +Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. Most restricted value is 0. @@ -667,28 +715,34 @@ This policy has been deprecated. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -739,28 +793,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -802,28 +862,34 @@ This setting supports a range of values between 0 and 1. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      @@ -844,7 +910,7 @@ This setting supports a range of values between 0 and 1. > - The policy is only enforced in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Japanese IME version in the desktop. +Allows IT admins to configure Microsoft Japanese IME version in the desktop. @@ -865,28 +931,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      @@ -907,7 +979,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. +Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. @@ -928,28 +1000,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark8YesYes
      Businesscheck mark8YesYes
      Enterprisecheck mark8YesYes
      Educationcheck mark8YesYes
      @@ -969,8 +1047,7 @@ The following list shows the supported values: > [!NOTE] > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. - -Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. +Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. @@ -991,28 +1068,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1029,7 +1112,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. +This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. @@ -1055,28 +1138,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1117,28 +1206,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1179,28 +1274,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1241,28 +1342,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1279,7 +1386,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked. +Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked. @@ -1300,28 +1407,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1338,7 +1451,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled. +Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled. @@ -1359,28 +1472,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1397,7 +1516,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled. +Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled. @@ -1418,28 +1537,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1456,7 +1581,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled. +Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled. @@ -1477,28 +1602,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1515,7 +1646,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled. +Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled. @@ -1536,28 +1667,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1574,7 +1711,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled. +Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled. @@ -1595,28 +1732,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1633,7 +1776,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled. +Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled. @@ -1654,28 +1797,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1692,7 +1841,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled. +Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled. @@ -1706,16 +1855,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 8ef9349148..9d490b2202 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 09/28/2021 ms.reviewer: manager: dansimp --- @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -76,6 +82,9 @@ manager: dansimp Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. +> [!TIP] +> To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. + @@ -89,16 +98,5 @@ Specifies the time zone to be applied to the device. This is the standard Window
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 6c74dd7725..41deff6293 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -34,28 +34,34 @@ ms.date: 09/27/2019 - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -138,16 +144,5 @@ By default, this policy is not configured and the SKU based defaults are used fo
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1fe9517d3d..b5378a0265 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -198,6 +198,9 @@ manager: dansimp
      Update/SetProxyBehaviorForUpdateDetection
      +
      + Update/TargetProductVersion +
      Update/TargetReleaseVersion
      @@ -221,28 +224,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -259,7 +268,7 @@ manager: dansimp -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. @@ -288,28 +297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -326,7 +341,7 @@ ADMX Info: -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. +Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. Supported values are 8-18. @@ -352,28 +367,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -390,7 +411,7 @@ ADMX Info: -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. @@ -419,28 +440,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -499,28 +526,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -537,7 +570,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. +Option to download updates automatically over metered connections (off by default). Value type is integer. A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. @@ -569,28 +602,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -607,7 +646,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. +Allows the IT admin to manage whether to scan for app updates from Microsoft Update. @@ -636,28 +675,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -698,28 +743,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -771,28 +822,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -847,28 +904,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -923,28 +986,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -961,7 +1030,7 @@ ADMX Info: -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. +Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes). @@ -989,28 +1058,34 @@ Supported values are 15, 30, 60, 120, and 240 (minutes). - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1027,7 +1102,7 @@ Supported values are 15, 30, 60, 120, and 240 (minutes). -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. +Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. @@ -1056,28 +1131,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1132,28 +1213,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1170,7 +1257,7 @@ Supported values: -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. +Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. @@ -1202,28 +1289,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1241,7 +1334,7 @@ The following list shows the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. ADMX Info: @@ -1273,28 +1366,34 @@ Default value is 7. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1312,7 +1411,7 @@ Default value is 7. -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. ADMX Info: @@ -1344,28 +1443,34 @@ Default value is 7. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1383,7 +1488,7 @@ Default value is 7. -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. +Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. @@ -1416,28 +1521,34 @@ Default value is 2. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -1455,7 +1566,7 @@ Default value is 2. -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. +If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. @@ -1489,28 +1600,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark4YesYes
      Businesscheck mark4YesYes
      Enterprisecheck mark4YesYes
      Educationcheck mark4YesYes
      @@ -1527,7 +1644,7 @@ Supported values: -Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. +Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. @@ -1540,28 +1657,34 @@ Added in Windows 10, version 1803. Enable IT admin to configure feature update u - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1580,7 +1703,7 @@ Added in Windows 10, version 1803. Enable IT admin to configure feature update u Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. +Defers Feature Updates for the specified number of days. Supported values are 0-365 days. @@ -1607,28 +1730,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -1645,7 +1774,7 @@ ADMX Info: -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. +Defers Quality Updates for the specified number of days. Supported values are 0-30. @@ -1669,28 +1798,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1816,28 +1951,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -1886,28 +2027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -1924,7 +2071,7 @@ ADMX Info: -Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. +Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. @@ -1946,28 +2093,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -1984,7 +2137,7 @@ ADMX Info: -Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. +Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). @@ -2018,28 +2171,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2097,28 +2256,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2175,28 +2340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2248,28 +2419,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2319,28 +2496,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2390,28 +2573,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2461,28 +2650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark5YesYes
      Businesscheck mark5YesYes
      Enterprisecheck mark5YesYes
      Educationcheck mark5YesYes
      @@ -2532,28 +2727,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2573,7 +2774,7 @@ ADMX Info: > [!NOTE] > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. +Allows IT Admins to exclude Windows Update (WU) drivers during updates. @@ -2601,28 +2802,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2639,7 +2846,7 @@ The following list shows the supported values: -Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). +Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). > [!NOTE] > This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. @@ -2671,28 +2878,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2709,7 +2922,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. @@ -2742,28 +2955,34 @@ To validate this policy: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -2780,7 +2999,7 @@ To validate this policy: -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. @@ -2813,28 +3032,34 @@ To validate this policy: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -2851,7 +3076,7 @@ To validate this policy: -Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. +Used to manage Windows 10 Insider Preview builds. Value type is integer. @@ -2881,28 +3106,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -2955,28 +3186,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -2996,7 +3233,7 @@ The following list shows the supported values: Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later. +Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later. @@ -3025,28 +3262,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -3063,7 +3306,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date. +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. @@ -3087,28 +3330,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -3125,7 +3374,7 @@ ADMX Info: -Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead. +Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead. @@ -3154,28 +3403,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -3192,7 +3447,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. @@ -3227,28 +3482,34 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3296,28 +3557,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3360,28 +3627,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -3398,7 +3671,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. +Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). @@ -3426,28 +3699,34 @@ Supported values are 15, 30, or 60 (minutes). - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -3468,7 +3747,7 @@ Supported values are 15, 30, or 60 (minutes). > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. +Allows the IT Admin to specify the period for auto-restart warning reminder notifications. The default value is 4 (hours). @@ -3496,28 +3775,34 @@ Supported values are 2, 4, 8, 12, or 24 (hours). - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -3573,28 +3858,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -3611,7 +3902,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
      • 0 - no update in the schedule
      • 1 - update is scheduled every week
        • @@ -3637,28 +3928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
        Windows EditionSupported?EditionWindows 10Windows 11
        Homecross markNoNo
        Procheck mark3YesYes
        Businesscheck mark3YesYes
        Enterprisecheck mark3YesYes
        Educationcheck mark3YesYes
        @@ -3675,7 +3972,7 @@ ADMX Info: -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
        • 0 - no update in the schedule
        • 1 - update is scheduled every first week of the month
          • @@ -3701,28 +3998,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
          Windows EditionSupported?EditionWindows 10Windows 11
          Homecross markNoNo
          Procheck mark3YesYes
          Businesscheck mark3YesYes
          Enterprisecheck mark3YesYes
          Educationcheck mark3YesYes
          @@ -3739,7 +4042,7 @@ ADMX Info: -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
          • 0 - no update in the schedule
          • 1 - update is scheduled every fourth week of the month
            • @@ -3765,28 +4068,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
            Windows EditionSupported?EditionWindows 10Windows 11
            Homecross markNoNo
            Procheck mark3YesYes
            Businesscheck mark3YesYes
            Enterprisecheck mark3YesYes
            Educationcheck mark3YesYes
            @@ -3803,7 +4112,7 @@ ADMX Info: -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
            • 0 - no update in the schedule
            • 1 - update is scheduled every second week of the month
              • @@ -3829,28 +4138,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
              Windows EditionSupported?EditionWindows 10Windows 11
              Homecross markNoNo
              Procheck mark3YesYes
              Businesscheck mark3YesYes
              Enterprisecheck mark3YesYes
              Educationcheck mark3YesYes
              @@ -3867,7 +4182,7 @@ ADMX Info: -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
              • 0 - no update in the schedule
              • 1 - update is scheduled every third week of the month
                • @@ -3893,28 +4208,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -3965,28 +4286,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark2YesYes
                Businesscheck mark2YesYes
                Enterprisecheck mark2YesYes
                Educationcheck mark2YesYes
                @@ -4003,7 +4330,7 @@ ADMX Info: -Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. +Allows the IT Admin to disable auto-restart notifications for update installations. @@ -4032,28 +4359,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -4091,28 +4424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -4150,28 +4489,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark2YesYes
                Businesscheck mark2YesYes
                Enterprisecheck mark2YesYes
                Educationcheck mark2YesYes
                @@ -4188,7 +4533,7 @@ ADMX Info: -Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. +For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. @@ -4219,28 +4564,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -4284,34 +4635,120 @@ The following list shows the supported values:
                + +**Update/TargetProductVersion** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                EditionWindows 10Windows 11
                HomeNoNo
                ProYesYes
                BusinessYesYes
                EnterpriseYesYes
                EducationYesYes
                + + +
                + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                + + + +Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. + +If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). + + + +ADMX Info: +- GP Friendly name: *Select the target Feature Update version* +- GP name: *TargetProductVersion* +- GP element: *TargetProductVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”. + + + + + + + + +By using this Windows Update for Business policy to upgrade devices to a new product (ex. Windows 11) you are agreeing that when applying this operating system to a device either +(1) The applicable Windows license was purchased though volume licensing, or +(2) That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). + +
                + **Update/TargetReleaseVersion** - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -4358,28 +4795,34 @@ Value type is a string containing Windows 10 version number. For example, 1809, - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -4435,28 +4878,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -4527,28 +4976,34 @@ Example - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -4565,7 +5020,7 @@ Example -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. +Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. @@ -4591,15 +5046,4 @@ ADMX Info:
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - -1` \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 7ac5e6f283..65fb6facfd 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - UserRights -
                User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). @@ -200,28 +199,34 @@ For example, the following syntax grants user rights to a specific user or group - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -257,28 +262,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -316,28 +327,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -375,28 +392,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -434,28 +457,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -493,28 +522,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -550,28 +585,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -609,28 +650,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -666,28 +713,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -723,28 +776,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -784,28 +843,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -843,28 +908,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -902,28 +973,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -959,28 +1036,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1018,28 +1101,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1075,28 +1164,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1134,28 +1229,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1191,28 +1292,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1258,28 +1365,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1320,28 +1433,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1379,28 +1498,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1436,28 +1561,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1493,28 +1624,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1550,28 +1687,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1609,28 +1752,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1666,28 +1815,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1723,28 +1878,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1780,28 +1941,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1839,28 +2006,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -1891,14 +2064,4 @@ GP Info:
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 0db9332538..77728974a0 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Wifi -
                @@ -67,28 +66,34 @@ This policy has been deprecated. - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -135,28 +140,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -203,28 +214,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -266,28 +283,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -326,28 +349,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark2YesYes
                Businesscheck mark2YesYes
                Enterprisecheck mark2YesYes
                Educationcheck mark2YesYes
                @@ -364,7 +393,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allow WiFi Direct connection.. +Allow WiFi Direct connection.. @@ -384,28 +413,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -434,16 +469,6 @@ Supported operations are Add, Delete, Get, and Replace.
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 9af69e0c2b..a5e847a460 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck markYesYes
                Businesscheck markYesYes
                Enterprisecheck markYesYes
                Educationcheck markYesYes
                @@ -107,16 +113,6 @@ ADMX Info:
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 10c2f369a9..6b2e339e43 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -98,28 +98,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -136,7 +142,7 @@ manager: dansimp -Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. +The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -160,28 +166,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark4YesYes
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -198,7 +210,7 @@ ADMX Info: -Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -226,28 +238,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -264,7 +282,7 @@ Valid values: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -294,28 +312,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark5YesYes
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -376,28 +400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark4YesYes
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -414,7 +444,7 @@ ADMX Info: -Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -442,28 +472,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -480,7 +516,7 @@ Valid values: -Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. +Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. > [!NOTE] > If Suppress notification is enabled then users will not see critical or non-critical messages. @@ -513,28 +549,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -551,7 +593,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -581,28 +623,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -619,7 +667,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -649,28 +697,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -687,7 +741,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -717,28 +771,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -755,7 +815,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices. +Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -785,28 +845,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark5YesYes
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -867,28 +933,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -905,7 +977,7 @@ ADMX Info: -Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. +Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -935,28 +1007,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -973,7 +1051,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area. +Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -1003,28 +1081,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -1041,7 +1125,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. +The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -1065,28 +1149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -1103,7 +1193,7 @@ ADMX Info: -Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. +Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -1133,28 +1223,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -1171,7 +1267,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification. +Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -1201,28 +1297,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark4YesYes
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -1239,7 +1341,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. +Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. @@ -1267,28 +1369,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark4YesYes
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -1305,7 +1413,7 @@ Valid values: -Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center. +Use this policy to hide the Secure boot area in the Windows Defender Security Center. @@ -1333,28 +1441,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark4YesYes
                Procheck mark4YesYes
                Businesscheck mark4YesYes
                Enterprisecheck mark4YesYes
                Educationcheck mark4YesYes
                @@ -1371,7 +1485,7 @@ Valid values: -Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. +Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. @@ -1399,28 +1513,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark5YesYes
                Procheck mark5YesYes
                Businesscheck mark5YesYes
                Enterprisecheck mark5YesYes
                Educationcheck mark5YesYes
                @@ -1483,28 +1603,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -1521,7 +1647,7 @@ ADMX Info: -Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. +The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -1545,28 +1671,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecheck mark3YesYes
                Procheck mark3YesYes
                Businesscheck mark3YesYes
                Enterprisecheck mark3YesYes
                Educationcheck mark3YesYes
                @@ -1583,7 +1715,7 @@ ADMX Info: -Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. +The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -1600,16 +1732,5 @@ ADMX Info:
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index b352b0818c..f463131d83 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - WindowsInkWorkspace -
                @@ -39,28 +38,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -77,7 +82,7 @@ manager: dansimp -Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. +Show recommended app suggestions in the ink workspace. @@ -105,28 +110,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
                Windows EditionSupported?EditionWindows 10Windows 11
                Homecross markNoNo
                Procheck mark1YesYes
                Businesscheck mark1YesYes
                Enterprisecheck mark1YesYes
                Educationcheck mark1YesYes
                @@ -143,7 +154,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. +Specifies whether to allow the user to access the ink workspace. @@ -166,16 +177,5 @@ Value type is int. The following list shows the supported values:
                -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4d822efc0c..94a49ce87c 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -45,6 +45,13 @@ manager: dansimp
      +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
      @@ -54,28 +61,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark6YesYes
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -105,12 +118,6 @@ After enabling this policy, you can configure its settings through the [ConfigAu If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -139,28 +146,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecheck mark6YesYes
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -190,12 +203,6 @@ BitLocker is suspended during updates if: If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -224,28 +231,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -269,12 +282,6 @@ If you enable this policy setting, no app notifications are displayed on the loc If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -294,28 +301,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -364,12 +377,6 @@ Here is an example to enable this policy: ``` -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -389,28 +396,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markYesYes
      Procheck mark6YesYes
      Businesscheck mark6YesYes
      Enterprisecheck mark6YesYes
      Educationcheck mark6YesYes
      @@ -468,28 +481,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -513,12 +532,6 @@ If you enable this policy setting, Logon UI will enumerate all local users on do If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -538,28 +551,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -576,7 +595,7 @@ ADMX Info: -Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. @@ -604,16 +623,5 @@ To validate on Desktop, do the following:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 3cf0a24d74..a67752e251 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscheck markYesYes
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -104,16 +110,6 @@ ADMX Info:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index e1e54793b4..f3fd70ab14 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -12,9 +12,6 @@ ms.date: 10/14/2020 # Policy CSP - WindowsSandbox -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -53,28 +50,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -141,28 +144,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -226,28 +235,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -309,28 +324,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -393,28 +414,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      @@ -480,28 +507,34 @@ Available in the latest Windows 10 insider preview build. - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck markYesYes
      Businesscross markNoNo
      Enterprisecheck markYesYes
      Educationcheck markYesYes
      diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index b1b0988561..9d941ee024 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -55,28 +55,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -93,7 +99,7 @@ manager: dansimp -Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. +This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. @@ -113,28 +119,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark3YesYes
      Businesscheck mark3YesYes
      Enterprisecheck mark3YesYes
      Educationcheck mark3YesYes
      @@ -151,7 +163,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. +This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. @@ -171,28 +183,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -209,7 +227,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. +This policy allows you to turn off projection from a PC. @@ -229,28 +247,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -267,7 +291,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. +This policy allows you to turn off projection from a PC over infrastructure. @@ -287,28 +311,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -325,7 +355,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. +Allow or disallow turning off the projection to a PC. If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. @@ -357,28 +387,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -395,7 +431,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. +This policy setting allows you to turn off projection to a PC over infrastructure. @@ -415,28 +451,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark2YesYes
      Businesscheck mark2YesYes
      Enterprisecheck mark2YesYes
      Educationcheck mark2YesYes
      @@ -453,7 +495,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. +Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. @@ -473,28 +515,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
      Windows EditionSupported?EditionWindows 10Windows 11
      Homecross markNoNo
      Procheck mark1YesYes
      Businesscheck mark1YesYes
      Enterprisecheck mark1YesYes
      Educationcheck mark1YesYes
      @@ -511,7 +559,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. +Allow or disallow requirement for a PIN for pairing. If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. @@ -536,16 +584,5 @@ The following list shows the supported values:
      -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index e2d40a822a..1b7b94e690 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  -The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. +The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png) +```console +PXLOGICAL +----DOMAIN +----NAME +----PORT +-------PORTNBR +-------SERVICE +----PUSHENABLED +----PROXY-ID +----TRUST +----PXPHYSICAL +-------DOMAIN +-------PHYSICAL-PROXY-ID +-------PORT +---------PORTNBR +---------SERVICE +-------PUSHENABLED +-------PXADDR +-------PXADDRTYPE +-------TO-NAPID +``` -The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png) +The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. + +```console +PXLOGICAL +--PROXY-ID +----DOMAIN +----NAME +----PORT +-------PORTNBR +-------SERVICE +----PUSHENABLED +----TRUST +----PXPHYSICAL +-------PHYSICAL-PROXY-ID +----------DOMAIN +----------PORT +-------------PORTNBR +-------------SERVICE +----------PUSHENABLED +----------PXADDR +----------PXADDRTYPE +----------TO-NAPID +``` + **PXPHYSICAL** Defines a group of logical proxy settings. @@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o **DOMAIN** Specifies the domain associated with the proxy (for example, "\*.com"). -A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy. +A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy. **NAME** Specifies the name of the logical proxy. diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 4ffdbad557..fbc7a1ec31 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. +The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. -![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png) +```console +./Vendor/MSFT +SecurityPolicy +----PolicyID +``` ***PolicyID*** Defines the security policy identifier as a decimal value. @@ -48,7 +52,7 @@ The following security policies are supported.

      4104

      -

      Hex:1008

      +

      Hex: 1008

      TPS Policy

      This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.

      Default value: 1

      @@ -58,7 +62,7 @@ The following security policies are supported.

      4105

      -

      Hex:1009

      +

      Hex: 1009

      Message Authentication Retry Policy

      This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

      Default value: 3

      @@ -66,7 +70,7 @@ The following security policies are supported.

      4108

      -

      Hex:100c

      +

      Hex: 100c

      Service Loading Policy

      This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.

      Default value: 256 (SECROLE_KNOWN_PPG)

      diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 22e27a3a21..f82377ff80 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -48,6 +48,8 @@ items: href: device-update-management.md - name: Bulk enrollment href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md - name: Management tool for the Microsoft Store for Business href: management-tool-for-windows-store-for-business.md items: @@ -407,6 +409,8 @@ items: href: policy-csp-admx-activexinstallservice.md - name: ADMX_AddRemovePrograms href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md - name: ADMX_AppCompat href: policy-csp-admx-appcompat.md - name: ADMX_AppxPackageManager @@ -455,6 +459,8 @@ items: href: policy-csp-admx-dfs.md - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -503,10 +509,14 @@ items: href: policy-csp-admx-help.md - name: ADMX_HelpAndSupport href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md - name: ADMX_ICM href: policy-csp-admx-icm.md - name: ADMX_IIS - href: policy-csp-admx-iis.md + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos @@ -529,6 +539,10 @@ items: href: policy-csp-admx-mmc.md - name: ADMX_MMCSnapins href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md - name: ADMX_MSAPolicy href: policy-csp-admx-msapolicy.md - name: ADMX_msched @@ -537,6 +551,8 @@ items: href: policy-csp-admx-msdt.md - name: ADMX_MSI href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md - name: ADMX_nca href: policy-csp-admx-nca.md - name: ADMX_NCSI @@ -547,14 +563,20 @@ items: href: policy-csp-admx-networkconnections.md - name: ADMX_OfflineFiles href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md - name: ADMX_PeerToPeerCaching href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md - name: ADMX_PerformanceDiagnostics href: policy-csp-admx-performancediagnostics.md - name: ADMX_Power href: policy-csp-admx-power.md - name: ADMX_PowerShellExecutionPolicy href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md - name: ADMX_Printing href: policy-csp-admx-printing.md - name: ADMX_Printing2 @@ -573,10 +595,14 @@ items: href: policy-csp-admx-scripts.md - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -586,9 +612,7 @@ items: - name: ADMX_Sharing href: policy-csp-admx-sharing.md - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_SkyDrive - href: policy-csp-admx-skydrive.md + href: policy-csp-admx-shellcommandpromptregedittools.md - name: ADMX_Smartcard href: policy-csp-admx-smartcard.md - name: ADMX_Snmp @@ -597,12 +621,18 @@ items: href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md - name: ADMX_Taskbar href: policy-csp-admx-taskbar.md - name: ADMX_tcpip href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md - name: ADMX_TPM href: policy-csp-admx-tpm.md - name: ADMX_UserExperienceVirtualization @@ -613,16 +643,14 @@ items: href: policy-csp-admx-w32time.md - name: ADMX_WCM href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md - - name: ADMX_WindowsAnytimeUpgrade - href: policy-csp-admx-windowsanytimeupgrade.md - name: ADMX_WindowsConnectNow href: policy-csp-admx-windowsconnectnow.md - name: ADMX_WindowsExplorer href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsFileProtection - href: policy-csp-admx-windowsfileprotection.md - name: ADMX_WindowsMediaDRM href: policy-csp-admx-windowsmediadrm.md - name: ADMX_WindowsMediaPlayer @@ -639,6 +667,10 @@ items: href: policy-csp-admx-winsrv.md - name: ADMX_wlansvc href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md - name: ADMX_WPN href: policy-csp-admx-wpn.md - name: ApplicationDefaults diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 42a6882673..80121f22ea 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP Important considerations: -- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN. +- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN. - VPN configuration commands must be wrapped with an Atomic command as shown in the example below. @@ -31,9 +31,61 @@ Important considerations: - For the VPN CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the VPN configuration service provider in tree format. +The following shows the VPN configuration service provider in tree format. -![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png) +```console +./Vendor/MSFT +VPN +-----ProfileName +---------Server +---------TunnelType +---------ThirdParty +-------------Name +-------------AppID +-------------CustomStoreURL +-------------CustomConfiguration +---------RoleGroup +---------Authentication +-------------Method +-------------Certificate +---------------Issuer +---------------EKU +---------------CacheLifeTimeProtectedCert +-------------MultiAuth +---------------StartURL +---------------EndURL +-------------EAP +---------Proxy +-------------Automatic +-------------Manual +---------------Server +---------------Port +-------------BypassProxyforLocal +---------SecuredResources +-------------AppPublisherNameList +---------------AppPublisherName +-------------AppAllowedList +---------------AppAllowedList +-------------NetworkAllowedList +---------------NetworkAllowedList +-------------NameSapceAllowedList +---------------NameSapceAllowedList +-------------ExcudedAppList +---------------ExcudedAppList +-------------ExcludedNetworkList +---------------ExcludedNetworkList +-------------ExcludedNameSpaceList +---------------ExcludedNameSpaceList +-------------DNSSuffixSearchList +---------------DNSSuffixSearchList +---------Policies +-------------RememberCredentials +-------------SplitTunnel +-------------BypassforLocal +-------------TrustedNetworkDetection +-------------ConnectionType +---------DNSSuffix +``` ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). @@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace. Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com. **TunnelType** -Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. +Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. Value type is chr. Supported operations are Get and Add. **ThirdParty** -Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. +Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. Supported operations are Get and Add. @@ -73,17 +125,17 @@ Valid values: - Checkpoint Mobile VPN **ThirdParty/AppID** -Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. +Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomStoreURL** -Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app. +Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomConfiguration** -Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins. +Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins. Value type is char. Supported operations are Get, Add, Replace, and Delete. @@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col Supported operations are Get and Add. **Authentication/Method** -Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. +Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. Supported operations are Get and Add. @@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie Supported operations are Get and Add. **Authentication/Certificate/Issuer** -Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering. +Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.   **Authentication/Certificate/EKU** -Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering. +Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -175,16 +227,16 @@ Default is False. Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported.. **SecuredResources/AppAllowedList/AppAllowedList** -Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps. +Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps. -Supported operations are Get, Add, Replace and Delete. +Supported operations are Get, Add, Replace, and Delete. Value type is chr. Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. **SecuredResources/NetworkAllowedList/NetworkAllowedList** -Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks. +Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks. Supported operations are Get, Add, Replace, and Delete. @@ -202,7 +254,7 @@ Value type is chr. An example is \*.corp.contoso.com. **SecuredResources/ExcluddedAppList/ExcludedAppList** -Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. +Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. Supported operations are Get, Add, Replace, and Delete. diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index e7321b1888..de649eb77b 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application. -  +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. -The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. - -![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png) +```console +APPLICATION +----APPID +----NAME +----TO-PROXY +----TO-NAPID +----ADDR +----MS +``` **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 7aaa801796..7745749716 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f > **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -  -The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png) +```console +APPLICATION +---APPADDR +------ADDR +------ADDRTYPE +------PORT +---------PORTNBR +---APPAUTH +------AAUTHDATA +------AAUTHLEVEL +------AAUTHNAME +------AAUTHSECRET +------AAUTHTYPE +---AppID +---BACKCOMPATRETRYDISABLED +---CONNRETRYFREQ +---DEFAULTENCODING +---INIT +---INITIALBACKOFTIME +---MAXBACKOFTIME +---NAME +---PROTOVER +---PROVIDER-ID +---ROLE +---TO-NAPID +---USEHWDEVID +---SSLCLIENTCERTSEARCHCRITERIA +``` > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index e867ae66ef..e6864ea72c 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -29,9 +29,22 @@ Programming considerations: - For the WiFi CSP, you cannot use the Replace command unless the node already exists. - Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. -The following image shows the WiFi configuration service provider in tree format. +The following shows the WiFi configuration service provider in tree format. + +```console +./Device/Vendor/MSFT +or +./User/Vendor/MSFT +WiFi +---Profile +------SSID +---------WlanXML +---------Proxy +---------ProxyPacUrl +---------ProxyWPAD +---------WiFiCost +``` -![wi-fi csp diagram.](images/provisioning-csp-wifi.png) The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 4f22b0b48c..bba543313e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,9 +17,25 @@ ms.date: 11/01/2017 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). -![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png) +```console +./Device/Vendor/MSFT +WindowsAdvancedThreatProtection +----Onboarding +----HealthState +--------LastConnected +--------SenseIsRunning +--------OnboardingState +--------OrgId +----Configuration +--------SampleSharing +--------TelemetryReportingFrequency +----Offboarding +----DeviceTagging +--------Group +--------Criticality +``` The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 468313fb87..ccd89eb916 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -5,8 +5,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 07/07/2020 +author: dansimp +ms.date: 10/11/2021 ms.reviewer: manager: dansimp --- @@ -50,8 +50,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: - 0 - Disable Microsoft Defender Application Guard - 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY -- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY -- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments +- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004) +- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004) **Settings/ClipboardFileType** Determines the type of content that can be copied from the host to Application Guard environment and vice versa. @@ -279,7 +279,7 @@ Value type is integer. Supported operation is Get. - Bit 6 - Set to 1 when system reboot is required. **PlatformStatus** -Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. +Added in Windows 10, version 2004. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Value type is integer. Supported operation is Get. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 2fe71b5e76..7dfbe89239 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_BrowserSecurityZones -cross mark +Yes MDM_BrowserSettings -cross mark +Yes MDM_Certificate -cross mark +Yes MDM_CertificateEnrollment -cross mark +Yes MDM_Client @@ -106,7 +106,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_ConfigSetting -cross mark +Yes MDM_DeviceRegistrationInfo @@ -114,11 +114,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_EASPolicy -cross mark +Yes MDM_MgMtAuthority -cross mark +Yes MDM_MsiApplication @@ -138,7 +138,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_Restrictions -cross mark +Yes MDM_RestrictionsUser @@ -146,7 +146,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_SecurityStatus -cross mark +Yes MDM_SideLoader @@ -158,11 +158,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_Updates -cross mark +Yes MDM_VpnApplicationTrigger -cross mark +Yes MDM_VpnConnection @@ -174,27 +174,27 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw MDM_WirelessProfile -cross mark +Yes MDM_WirelesssProfileXML -cross mark +Yes MDM_WNSChannel -cross mark +Yes MDM_WNSConfiguration -cross mark +Yes MSFT_NetFirewallProfile -cross mark +Yes MSFT_VpnConnection -cross mark +Yes SoftwareLicensingProduct @@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | @@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw |--------------------------------------------------------------------------|------------------------------------------| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png) -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png) +[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes +[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png) -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png) -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png) +[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes +[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes +[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png) -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png) +[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes +[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png) +[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | @@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png) +[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png) +[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png) +[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png) +[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png) +[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | @@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png) -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png) +[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes +[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png) -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png) +[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes +[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png) +[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png) +[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png) +[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png) +[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 3e8eeea8a1..1267dad41f 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -39,7 +39,7 @@ You can view the dynamic port range on a computer by using the following netsh c The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. -```cmd +```console netsh int set dynamic start=number num=range ``` @@ -58,7 +58,7 @@ Since outbound connections start to fail, you will see a lot of the below behavi - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) + :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png"::: - Group Policy update failures: @@ -82,32 +82,32 @@ If you suspect that the machine is in a state of port exhaustion: 2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: - a. **Event ID 4227** + 1. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) + :::image type="content" alt-text="Screenshot of event ID 4227 in Event Viewer." source="images/tcp-ts-18.png" lightbox="images/tcp-ts-18.png"::: - b. **Event ID 4231** + 1. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) + :::image type="content" alt-text="Screenshot of event ID 4231 in Event Viewer." source="images/tcp-ts-19.png" lightbox="images/tcp-ts-19.png"::: 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. ![Screenshot of netstate command output.](images/tcp-ts-20.png) -After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. - -You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. - ->[!Note] ->Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. -> ->Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. -> ->Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. + After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + + You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + + >[!Note] + >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. + > + >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + > + >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. 4. Open a command prompt in admin mode and run the below command - ```cmd + ```console Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl ``` @@ -119,15 +119,15 @@ The key is to identify which process or application is using all the ports. Belo ### Method 1 -Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: +Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process: -```Powershell +```powershell Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending ``` Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. -For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. +For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet. ### Method 2 @@ -157,7 +157,7 @@ Steps to use Process explorer: File \Device\AFD - ![Screenshot of Process Explorer.](images/tcp-ts-22.png) + :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png"::: 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. @@ -165,7 +165,7 @@ Finally, if the above methods did not help you isolate the process, we suggest y As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: -```cmd +```console netsh int ipv4 set dynamicport tcp start=10000 num=1000 ``` @@ -176,7 +176,7 @@ This will set the dynamic port range to start at port 10000 and to end at port 1 For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. -``` +```console @ECHO ON set v=%1 :loop @@ -195,5 +195,5 @@ goto loop ## Useful links - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11) -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10, and Windows 11) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 7e2051d237..6170a3e35e 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -176,8 +176,6 @@ - name: Reference items: - - name: Configure Windows 10 Mobile devices - href: mobile-devices/configure-mobile.md - name: Windows Configuration Designer reference items: - name: Windows Configuration Designer provisioning settings (reference) @@ -229,9 +227,7 @@ - name: DMClient href: wcd/wcd-dmclient.md - name: EditionUpgrade - href: wcd/wcd-editionupgrade.md - - name: EmbeddedLockdownProfiles - href: wcd/wcd-embeddedlockdownprofiles.md + href: wcd/wcd-editionupgrade.md - name: FirewallConfiguration href: wcd/wcd-firewallconfiguration.md - name: FirstExperience @@ -389,23 +385,3 @@ href: ue-v/uev-application-template-schema-reference.md - name: Security Considerations for UE-V href: ue-v/uev-security-considerations.md - - - - name: Use Windows Configuration Designer for Windows 10 Mobile devices - items: - - name: Use Windows Configuration Designer to configure Windows 10 Mobile devices - href: mobile-devices/provisioning-configure-mobile.md - - name: NFC-based device provisioning - href: mobile-devices/provisioning-nfc.md - - name: Barcode provisioning and the package splitter tool - href: mobile-devices/provisioning-package-splitter.md - - name: Use the Lockdown Designer app to create a Lockdown XML file - href: mobile-devices/mobile-lockdown-designer.md - - name: Configure Windows 10 Mobile using Lockdown XML - href: mobile-devices/lockdown-xml.md - - name: Settings and quick actions that can be locked down in Windows 10 Mobile - href: mobile-devices/settings-that-can-be-locked-down.md - - name: Product IDs in Windows 10 Mobile - href: mobile-devices/product-ids-in-windows-10-mobile.md - - name: Start layout XML for mobile editions of Windows 10 (reference) - href: mobile-devices/start-layout-xml-mobile.md \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index ac0783dddb..0f58cd49f8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -17,7 +17,7 @@ ms.author: greglin Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example"::: +:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example"::: ## Where is Cortana available for use in my organization? @@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the | Software | Minimum version | |---------|---------| -|Client operating system | Desktop:
      - Windows 10, version 2004 (recommended)

      - Windows 10, version 1703 (legacy version of Cortana)

      Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

      For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. | +|Client operating system | - Windows 10, version 2004 (recommended)

      - Windows 10, version 1703 (legacy version of Cortana)

      For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. | |Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. | |Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | @@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10 ### Cortana in Windows 10, version 2004 and later, or Windows 11 -Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true). +Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true). #### How does Microsoft store, retain, process, and use Customer Data in Cortana? @@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. -:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: +:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index a43fafd84b..0a26a17390 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -7,46 +7,78 @@ ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium ms.author: greglin -ms.date: 10/05/2017 ms.reviewer: manager: dansimp --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization ->[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics. +For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +- **Allow Cortana** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana` + - **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) + - **Description**: Specifies if users can use Cortana. -|**Group policy** |**MDM policy** |**Description** | -|---------|---------|---------| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
      -> [!IMPORTANT] -> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. | -|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
      -> [!NOTE] -> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. | -|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
      -> [!NOTE] -> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. | -|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
      -Users will still be able to type queries to Cortana. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
      -**In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).
      **In Windows 10, version 1607 and later**
      Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
      **In Windows 10, version 2004 and later**
      Cortana will work, but voice input will be disabled. | -|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
      -**In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).
      -**In Windows 10, version 1607 and later**
      -Cortana still works if this setting is turned off (disabled).
      -**In Windows 10, version 2004 and later**
      -Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. | -|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
      -Disable this setting if you only want to allow users to sign in with their Azure AD account. | -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
      -**In Windows 10, version 2004 and later**
      Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. | -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
      -**In Windows 10 Pro edition**
      This setting can’t be managed.
      -**In Windows 10 Enterprise edition**
      Cortana won't work if this setting is turned off (disabled).
      -**In Windows 10, version 2004 and later**
      This setting no longer affects Cortana.
      | -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
      -> [!NOTE] -> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | \ No newline at end of file + Cortana won’t work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off. + +- **AllowCortanaAboveLock** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock` + - **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock) + - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked. + + This setting: + + - Doesn't apply to Windows 10, versions 2004 and later + - Doesn't apply to Windows 11 + +- **LetAppsActivateWithVoice** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice` + - **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) + - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”. + + This setting applies to: + + - Windows 10 versions 2004 and later + - Windows 11 + + To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization). + +- **LetAppsAccessMicrophone** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone` + - **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) + - **Description**: Disables Cortana’s access to the microphone. To use this setting, enter Cortana’s Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana. + +- **Allow users to enable online speech recognition services** + - **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services` + - **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) + - **Description**: Specifies whether users can use voice commands with Cortana in your organization. + - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled). + - **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled). + - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled. + +- **AllowLocation** + - **Group policy**: None + - **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation) + - **Description**: Specifies whether to allow app access to the Location service. + - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled). + - **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled). + - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service. + +- **AllowMicrosoftAccountConnection** + - **Group policy**: None + - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) + - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting. + +- **Allow search and Cortana to use location** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location` + - **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) + - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service. + +- **Don't search the web or display web results** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results` + - **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults) + - **Description**: Specifies if search can do queries on the web, and if the web results are shown in search. + - **Windows 10 Pro edition**: This setting can’t be managed. + - **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled). + - **Windows 10, version 2004 and later**: This setting no longer impacts Cortana. diff --git a/windows/configuration/cortana-at-work/images/screenshot1.png b/windows/configuration/cortana-at-work/images/screenshot1.png new file mode 100644 index 0000000000..ed62740e92 Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot1.png differ diff --git a/windows/configuration/cortana-at-work/images/screenshot2.png b/windows/configuration/cortana-at-work/images/screenshot2.png new file mode 100644 index 0000000000..fb7995600e Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot2.png differ diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 5cbfc1ef09..30af3044b2 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -62,8 +62,8 @@ This article shows you how to create the XML file, add apps to the XML, and depl - - + + @@ -102,25 +102,25 @@ This article shows you how to create the XML file, add apps to the XML, and depl - - - - + + + + - - - - + + + + - - - + + + diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index ac5d6ad1fd..df13bd302b 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -13,14 +13,13 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 --- # Lockdown features from Windows Embedded 8.1 Industry **Applies to** -- Windows 10 +- Windows 10 Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. @@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be MDM and Group Policy

      The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

      Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

      -

      MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

      +

      MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Removable storage.

      Assigned Access: launch a UWP app on sign-in and lock access to system

      diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 6dc4c73ddb..bbdaae9711 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -12,15 +12,14 @@ ms.sitesec: library ms.pagetype: mobile author: greg-lindsay ms.localizationpriority: medium -ms.date: 05/02/2018 ms.topic: article --- # Manage Wi-Fi Sense in your company -**Applies to:** -- Windows 10 -- Windows 10 Mobile +**Applies to** + +- Windows 10 version 1709 and older >[!IMPORTANT] >Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details. diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md deleted file mode 100644 index fd9c3065aa..0000000000 --- a/windows/configuration/mobile-devices/configure-mobile.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Configure Windows 10 Mobile devices -description: -keywords: Windows 10, MDM, WSUS, Windows update -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# Configure Windows 10 Mobile devices - -Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. | -| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. | -| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. | -| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. | -| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. | -| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. | -| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. | - diff --git a/windows/configuration/mobile-devices/images/doneicon.png b/windows/configuration/mobile-devices/images/doneicon.png deleted file mode 100644 index d80389f35b..0000000000 Binary files a/windows/configuration/mobile-devices/images/doneicon.png and /dev/null differ diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md deleted file mode 100644 index 87f2b7b7cf..0000000000 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ /dev/null @@ -1,868 +0,0 @@ ---- -title: Configure Windows 10 Mobile using Lockdown XML (Windows 10) -description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. -ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F -ms.reviewer: -manager: dansimp -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Configure Windows 10 Mobile using Lockdown XML - - -**Applies to** - -- Windows 10 Mobile - -Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. - -This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. - -In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file. - -> [!NOTE] -> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../kiosk-methods.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). - -If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first. - -## Overview of the lockdown XML file - -Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml. - -```xml - - - - - - - - - - - - - -``` - -**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles) - -The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device. - ->[!TIP] ->Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. - -## Action Center - -![XML for Action Center.](../images/ActionCenterXML.jpg) - -The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. - -In the following example, the Action Center is enabled and both policies are disabled. - -```xml - -``` - -In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled. - -```xml - -``` - -The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts. - -```xml - - - - - - - -``` - -## Apps - -![XML for Apps.](../images/AppsXML.png) - -The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. - -You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) - -The following example makes Outlook Calendar available on the device. - -```xml - - - - - -``` - -When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size). - -![Grid to lay out tiles for Start.](../images/StartGrid.jpg) - -Tile sizes are: -* Small: 1x1 -* Medium: 2x2 -* Large: 2x4 - -Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5. - -If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen. - -In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start. - -```xml - - - - - Large - - 0 - 0 - - - - - - - Medium - - 4 - 0 - - - - - - -``` - -That layout would appear on a device like this: - -![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg) - -You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start. - -```xml - - - - - Medium - - 4 - 0 - - - - -``` - -To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example: - -```xml - - - - - Large - - 0 - 0 - - 1 - - - - - - Medium - - 4 - 0 - - 1 - - - -``` -When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened. - -## Buttons - -![XML for buttons.](../images/ButtonsXML.jpg) - -In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. - -### ButtonLockdownList - -When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button. - -Button | Press | PressAndHold | All ----|:---:|:---:|:--:|- -Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) -Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) - -> [!NOTE] -> Custom buttons are hardware buttons that can be added to devices by OEMs. - -In the following example, press-and-hold is disabled for the Back button. - -```xml - - - - - -``` - -If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button. - -```xml - - - - - -``` - -### ButtonRemapList - -ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons. - -> [!WARNING] -> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role. - -To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open. -In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app. - -```xml - - - - - -``` - -## CSPRunner - -![XML for CSP Runner.](../images/CSPRunnerXML.jpg) - -You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). - -CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role. - -In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section. - -> [!NOTE] -> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](/windows/client-management/mdm/structure-of-oma-dm-provisioning-files). - -Let's start with the structure of SyncML in the following example: - -```xml -SyncML> - - | - # - - - CSP Path - - - Data Type - - Value - - | - - - -``` - -This table explains the parts of the SyncML structure. - -SyncML entry | Description ----|--- -**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy. -**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value. -**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation. -**Target > LocURI** | **LocURI** is the path to the CSP. -**Meta > Format** | The data format required by the CSP. -**Data** | The value for the setting. - - -## Menu items - -![XML for menu items.](../images/MenuItemsXML.png) - -Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create. - -```xml - - - -``` - -## Settings - -![XML for settings.](../images/SettingsXML.png) - -The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. - -```xml - - - - ``` -In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. - -In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled. - -```xml - - - - - - - - - - - -``` - -If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps). - -For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md). - - - ## Tiles - - ![XML for tiles.](../images/TilesXML.png) - - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. - - > [!IMPORTANT] - > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. - - ```xml - - - - ``` - - ## Start screen size - - Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - -- Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). -- Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - - If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. - - [Learn about effective pixel width (epx) for different device size classes.](/windows/uwp/design/layout/screen-sizes-and-breakpoints-for-responsive-design) - - -## Configure additional roles - -You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - -[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](/uwp/api/Windows.Embedded.DeviceLockdown). - -In the XML file, you define each role with a GUID and name, as shown in the following example: - -```xml - -``` - -You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - -You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Validate your XML - -You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](/windows/client-management/mdm/enterpriseassignedaccess-xsd). - -## Add lockdown XML to a provisioning package - - -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Follow the instructions at [Build and apply a provisioning package](../provisioning-packages/provisioning-create-package.md) to create a project, selecting **Common to all Windows mobile editions** for your project. - -2. In **Available customizations**, go to **Runtime settings** > **EmbeddedLockdownProfiles** > **AssignedAccessXml**. - -3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created. - - ![browse button.](../images/icdbrowse.png) - -4. On the **File** menu, select **Save.** - -5. On the **Export** menu, select **Provisioning package**. - -6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -9. Click **Next**. - -10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](../provisioning-packages/provisioning-create-package.md). - -## Push lockdown XML using MDM - - -After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp). - -To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `<` in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device. - -## Full Lockdown.xml example - -```xml - - - - - - - - - Large - - 0 - 0 - - - - - - - Small - - 0 - 2 - - - - - - - Medium - - 2 - 2 - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 7 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 1 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg - - - - - - - - - - - - - - - - - - - - - - - - Small - - - - - - - - - Small - - 0 - 0 - - - - - - - Large - - 0 - 2 - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 10 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 0 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Small - - 0 - 0 - - - - - - - Small - - 1 - 0 - - - - - - - Medium - - 2 - 0 - - - - - - - - - Small - - 0 - 2 - - - - - - - Medium - - 2 - 2 - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 2 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 1 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg - - - - - - - - - - - - - - - - - - -``` - -## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -## Related topics - - -[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md deleted file mode 100644 index a7d82f6088..0000000000 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# Use the Lockdown Designer app to create a Lockdown XML file - -![Lockdown Designer in the Store.](../images/ldstore.png) - -Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. - -When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm). - -The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). - - - -## Overview - -Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC. - ->[!NOTE] ->Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device. - -Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML. - -When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703. - ->[!NOTE] ->You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app. - -## Prepare the test mobile device - -Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer. - -1. Install all apps on the device that you want to include in the configuration, including line-of-business apps. - -2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**. - -3. Read the disclaimer, then click **Yes** to accept the change. - -4. Enable **Device discovery**, and then turn on **Device Portal**. - ->[!IMPORTANT] ->Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. -> ->![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) - -## Prepare the PC - -[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. - -If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi. - -If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC: - -1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service. - -2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` - - >[!NOTE] - >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` - - - - -## Connect the mobile device to Lockdown Designer - -**Using Wi-Fi** - -1. Open Lockdown Designer. - -2. Click **Create new project**. - -3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**. - -2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`. - -3. Click **Pair**. - - ![Pair.](../images/ld-pair.png) - - **Connect to remote device** appears. - -4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. - -5. On the PC, in **Connect to remote device**, enter the code from the mobile device. - -6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - - ![Sync.](../images/ld-sync.png) - -7. Click the **Save** icon and enter a name for your project. - -**Using a USB cable** - -1. Open Lockdown Designer. - -2. Click **Create new project**. - -2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device. - -3. On the **Project setting** > **General settings** page, click **Pair**. - - ![Pair.](../images/ld-pair.png) - - **Connect to remote device** appears. - -4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. - -5. On the PC, in **Connect to remote device**, enter the code from the mobile device. - -6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - - ![Sync.](../images/ld-sync.png) - -7. Click the **Save** icon and enter a name for your project. - - -## Configure your lockdown XML settings - -The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page. - -| Page | Description | -| --- | --- | -| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

      You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | -| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | -| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | -| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | -| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

      Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | -| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:

      - The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

      - Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

      - The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | -| ![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

      On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

      When you are done changing the layout on the test mobile device, click **Accept** on the PC. | - - -## Validate and export - -On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid. - ->[!WARNING] ->Lockdown Designer cannot validate SyncML that you imported to CSPRunner. - -Click **Export** to generate the XML file for your project. You can select the location to save the file. - -## Create and configure multiple roles - -You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role. - ->[!NOTE] ->Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) - -**For each role:** - -1. On the **Project setting** page, click **Role management**. - -2. Click **Add a role**. - -3. Enter a name for the role, and then click **Save**. - -4. Configure the settings for the role as above, but make sure on each page that you select the correct role. - - ![Current role selection box.](../images/ld-role.png) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md deleted file mode 100644 index fbea1f61d8..0000000000 --- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md +++ /dev/null @@ -1,254 +0,0 @@ ---- -title: Product IDs in Windows 10 Mobile (Windows 10) -description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. -ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C -ms.reviewer: -manager: dansimp -keywords: ["lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Product IDs in Windows 10 Mobile - - -**Applies to** - -- Windows 10 Mobile - -You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. - -## Apps included in Windows 10 Mobile - - -The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      AppProduct IDAUMID
      Alarms and clock44F7D2B4-553D-4BEC-A8B7-634CE897ED5FMicrosoft.WindowsAlarms_8wekyb3d8bbwe!App
      CalculatorB58171C6-C70C-4266-A2E8-8F9C994F4456Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
      CameraF0D8FEFD-31CD-43A1-A45A-D0276DB069F1Microsoft.WindowsCamera_8wekyb3d8bbwe!App
      Contact Support0DB5FCFF-4544-458A-B320-E352DFD9CA2BWindows.ContactSupport_cw5n1h2txyewy!App
      CortanaFD68DCF4-166F-4C55-A4CA-348020F71B94Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
      ExcelEAD3E7C0-FAE6-4603-8699-6A448138F4DCMicrosoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel
      Facebook82A23635-5BD9-DF11-A844-00237DE2DB9EMicrosoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e
      File ExplorerC5E2524A-EA46-4F67-841F-6A9465D9D515c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App
      FM RadioF725010E-455D-4C09-AC48-BCDEF0D4B626N/A
      Get StartedB3726308-3D74-4A14-A84C-867C8C735C3CMicrosoft.Getstarted_8wekyb3d8bbwe!App
      Groove MusicD2B6A184-DA39-4C9A-9E0A-8B589B03DEC0Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
      MapsED27A07E-AF57-416B-BC0C-2596B622EF7DMicrosoft.WindowsMaps_8wekyb3d8bbwe!App
      Messaging27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax
      Microsoft Edge395589FB-5884-4709-B9DF-F7D558663FFDMicrosoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
      Money1E0440F1-7ABF-4B9A-863D-177970EEFB5EMicrosoft.BingFinance_8wekyb3d8bbwe!AppexFinance
      Movies and TV6AFFE59E-0467-4701-851F-7AC026E21665Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
      News9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1Microsoft.BingNews_8wekyb3d8bbwe!AppexNews
      OneDriveAD543082-80EC-45BB-AA02-FFE7F4182BA8Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App
      OneNoteCA05B3AB-F157-450C-8C49-A1F127F5E71DMicrosoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim
      Outlook Calendar

      A558FEBA-85D7-4665-B5D8-A2FF9C19799B

      Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar

      Outlook Mail

      A558FEBA-85D7-4665-B5D8-A2FF9C19799B

      Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail

      People60BE1FB8-3291-4B21-BD39-2221AB166481Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x
      Phone (dialer)F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7Microsoft.CommsPhone_8wekyb3d8bbwe!App
      PhotosFCA55E1B-B9A4-4289-882F-084EF4145005Microsoft.Windows.Photos_8wekyb3d8bbwe!App
      PodcastsC3215724-B279-4206-8C3E-61D1A9D63ED3Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x
      PowerpointB50483C4-8046-4E1B-81BA-590B24935798Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim
      Settings2A4E62D8-8809-4787-89F8-69D0F01654FB2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App
      SkypeC3F8E570-68B3-4D6A-BDBB-C0A3F4360A51Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId
      Skype Video27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!App
      Sports0F4C8C7E-7114-4E1E-A84C-50664DB13B17Microsoft.BingSports_8wekyb3d8bbwe!AppexSports
      Storage5B04B775-356B-4AA0-AAF8-6491FFEA564DN/A
      Store7D47D89A-7900-47C5-93F2-46EB6D94C159Microsoft.WindowsStore_8wekyb3d8bbwe!App
      Voice recorder7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App
      Wallet587A4577-7868-4745-A29E-F996203F1462Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App
      Weather63C2A117-8604-44E7-8CEF-DF10BE3A57C8Microsoft.BingWeather_8wekyb3d8bbwe!App
      Windows Feedback7604089D-D13F-4A2D-9998-33FC02B63CE3Microsoft.WindowsFeedback_8wekyb3d8bbwe!App
      Word258F115C-48F4-4ADB-9A68-1387E634459BMicrosoft.Office.Word_8wekyb3d8bbwe!microsoft.word
      XboxB806836F-EEBE-41C9-8669-19E243B81B83Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp
      - -  - - - -## Related topics - - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) - -  - -  - - - - - diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md deleted file mode 100644 index b2cd8a0e5c..0000000000 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Configure Windows 10 Mobile devices with Configuration Designer -description: Use Windows Configuration Designer to configure Windows 10 Mobile devices -keywords: phone, handheld, lockdown, customize -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# Use Windows Configuration Designer to configure Windows 10 Mobile devices - -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. - -A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. - -Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Microsoft Store. [Learn more about installing Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md) - -## Create a provisioning package using the wizard - -The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow. - -### Start a new project - -1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, - - or - - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. - -2. On the **Start** page, choose **Provision Windows mobile devices**. - -3. Enter a name for your project, and then click **Next**. - - -### Configure settings in the wizard - - - - - - -
      step oneset up device

      Enter a device name.

      Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.       		device name, upgrade license
      step two set up network

      Toggle On or Off for wireless network connectivity.

      If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.      		Enter network SSID and type
      step three bulk enrollment in Azure Active Directory

      Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

      Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

      Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.       		Enter expiration and get bulk token
      step four finish

      You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.      		Protect your package
      - -After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. - -### Apply provisioning package - -You can apply a provisioning package to a device running Windows 10 Mobile by using: - -- removable media -- copying the provisioning package to the device -- [NFC tags](provisioning-nfc.md) -- [barcodes](provisioning-package-splitter.md) - -### Using removable media - -1. Insert an SD card containing the provisioning package into the device. -2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - - ![add a package option.](../images/packages-mobile.png) - -3. Click **Add**. - -4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust.](../images/package-trust.png) - -### Copying the provisioning package to the device - -1. Connect the device to your PC through USB. - -2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. - -3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust.](../images/package-trust.png) - - -## Related topics - -- [NFC-based device provisioning](provisioning-nfc.md) -- [Use the package splitter tool](provisioning-package-splitter.md) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md deleted file mode 100644 index 42ff3ff229..0000000000 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: NFC-based device provisioning (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# NFC-based device provisioning - - -**Applies to** - -- Windows 10 Mobile - - -Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. - -The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. - -## Provisioning OOBE UI - -All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE. - -On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. - -![Example of Provision this device screen.](../images/nfc.png) - -If there is an error during NFC provisioning, the device will show a message if any of the following errors occur: - -- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API. -- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time. -- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices. -- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled. - -## NFC tag - -You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages. - -The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes: - -- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk. -- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data. - - ->[!NOTE] ->The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag. - -### NFC tag components - -NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB. - -To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag. - -The following table describes the information that is required when writing to an NFC tag. - -| Required field | Description | -| --- | --- | -| **Type** | Windows.ProvPlugins.Chunk

      The receiving device uses this information to understand information in the Data field. | -| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. | - - - -### NFC provisioning helper - -The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format: - -
      Version
      (1 byte)      		Leading
      (1 byte)      		Order
      (1 byte)      		Total
      (1 byte)      		Chunk payload
      (N bytes)
      - -For each part: -- Version should always be 0x00. -- Leading byte should always be 0xFF. -- Order represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0). -- Total represents the total number of chunks to be transferred for the whole message. -- Chunk payload represents each of the split parts. - -The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk. - -**Code example** - -The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device. - -``` - private async void WriteProvPkgToTag(IStorageFile provPkgFile) - { - var buffer = await FileIO.ReadBufferAsync(provPkgFile); - if (null == buffer) - { - return; - } - - var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault(); - if (null == proximityDevice) - { - return; - } - - var dataWriter = new DataWriter(); - var header = new NfcProvHeader(); - - header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00. - header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF. - header.index = 0; // Assume we only have 1 chunk. - header.total = 1; // Assume we only have 1 chunk. - - // Write the header first and then the raw data of the provisioning package. - dataWriter.WriteBytes(GetBytes(header)); - dataWriter.WriteBuffer(buffer); - - var chunkPubId = proximityDevice.PublishBinaryMessage( - "Windows:WriteTag.ProvPlugins.Chunk", - dataWriter.DetachBuffer()); - } -``` - - -### NFC-enabled device tag components - -Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds. - -To provision from an NFC-enabled source device, use [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section. - -For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device. - - - - - - - -## Related topics - -- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) - -- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md) - - diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md deleted file mode 100644 index 3bfd9c31b4..0000000000 --- a/windows/configuration/mobile-devices/provisioning-package-splitter.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Barcode provisioning and the package splitter tool (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# Barcode provisioning and the package splitter tool - - -**Applies to** - -- Windows 10 Mobile - -Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned. - -The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes. - -Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files. - -The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes. - -When you [install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder. - -## Prerequisites - -Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool. - -- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md). -- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](../provisioning-packages/provisioning-command-line.md). - -## To use the package splitter tool (ppkgtobase64.exe) - -1. Open a command-line window with administrator privileges. - - -2. From the command-line, navigate to the Windows Configuration Designer install directory. - - On an x64 computer, type: - ``` - cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 - ``` - - - or - - - On an x86 computer, type: - - ``` - cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 - ``` - -3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command. - - -### Syntax - -``` -ppkgtobase64.exe -i -o -s [-c] [/?] -``` - -### Switches and arguments - -| Switch | Required? | Arguments | -| --- | --- | --- | -| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.

      The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. | -| -o | Yes | Use to specify the directory where the output files will be saved. | -| -s | Yes | Use to specify the size of the block that will be encoded in Base64. | -| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. | -| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | - - - - - -## Related topics - - - - - - - - - - diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md deleted file mode 100644 index a265a544e3..0000000000 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ /dev/null @@ -1,202 +0,0 @@ ---- -title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10) -description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. -ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7 -ms.reviewer: -manager: dansimp -keywords: kiosk, lockdown, assigned access -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise - - -**Applies to** - -- Windows 10 Mobile - - -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.) - - - -## Enterprise Assigned Access - - -Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. - ->[!NOTE] ->The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. - - - -### Set up Enterprise Assigned Access in MDM - -In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md). - -[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](/windows/client-management/mdm/enterpriseassignedaccess-csp) - -### Set up assigned access using Windows Configuration Designer - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -#### Create the *AssignedAccess*.xml file - -1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp). - - >[!NOTE] - >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. - -#### Create the provisioning package - -1. [Install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md) - -2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). - -3. Choose **Advanced provisioning**. - - - -4. Name your project, and click **Next**. - -5. Choose **All Windows mobile editions** and click **Next**. - -6. On **New project**, click **Finish**. The workspace for your package opens. - -7. Expand **Runtime settings** > **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**. - -8. Click **Browse** to select the *AssignedAccess*.xml file. - -9. On the **File** menu, select **Save.** - -10. On the **Export** menu, select **Provisioning package**. - -11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -14. Click **Next**. - -15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -17. Select the **output location** link to go to the location of the package. - -#### Distribute the provisioning package - -You can distribute that .ppkg to mobile devices using any of the following methods: - -- Removable media (USB/SD) - - **To apply a provisioning package from removable media** - - 1. Copy the provisioning package file to the root directory on a micro SD card. - - 2. On the device, insert the micro SD card containing the provisioning package. - - 3. Go to **Settings** > **Accounts** > **Provisioning.** - - 4. Tap **Add a package**. - - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - -- Email - - **To apply a provisioning package sent in email** - - 1. Send the provisioning package in email to an account on the device. - - 2. Open the email on the device, and then double-tap the attached file. - - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - -- USB tether - - **To apply a provisioning package using USB tether** - - 1. Connect the device to your PC by USB. - - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - - 3. The provisioning package installation dialog will appear on the phone. - - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - - -## Apps Corner - ->[!NOTE] ->For Windows 10, versions 1507, 1511, and 1607 only. - -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png). - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back.](../images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). - - >[!TIP] - >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner. - -## Related topics - - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../kiosk-single-app.md) - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md deleted file mode 100644 index c616794f43..0000000000 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ /dev/null @@ -1,499 +0,0 @@ ---- -title: Lock down settings and quick actions in Windows 10 Mobile -description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 -ms.reviewer: -manager: dansimp -keywords: ["lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Settings and quick actions that can be locked down in Windows 10 Mobile - - -**Applies to** - -- Windows 10 Mobile - -This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. - -## Settings lockdown in Windows 10, version 1703 - -In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. - -For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**. - -See the [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page. - -## Settings lockdown in Windows 10, version 1607 and earlier - - -You can use Lockdown.xml to configure lockdown settings. - -The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Main menuSub-menuPage name
      SystemSettingsPageGroupPCSystem
      DisplaySettingsPageDisplay
      Notifications & actionsSettingsPageAppsNotifications
      PhoneSettingsPageCalls
      MessagingSettingsPageMessaging
      BatterySettingsPageBatterySaver
      Apps for websitesSettingsPageAppsForWebsites
      StorageSettingsPageStorageSenseStorageOverview
      Driving modeSettingsPageDrivingMode
      Offline mapsSettingsPageMaps
      AboutSettingsPagePCSystemInfo
      DevicesSettingsPageGroupDevices
      Default cameraSettingsPagePhotos
      BluetoothSettingsPagePCSystemBluetooth
      NFCSettingsPagePhoneNFC
      MouseSettingsPageMouseTouchpad
      USBSettingsPageUsb
      Network and wirelessSettingsPageGroupNetwork
      Cellular & SIMSettingsPageNetworkCellular
      Wi-FiSettingsPageNetworkWiFi
      Airplane modeSettingsPageNetworkAirplaneMode
      Data usageSettingsPageDataSenseOverview
      Mobile hotspotSettingsPageNetworkMobileHotspot
      VPNSettingsPageNetworkVPN
      PersonalizationSettingsPageGroupPersonalization
      StartSettingsPageBackGround
      ColorsSettingsPageColors
      SoundsSettingsPageSounds
      Lock screenSettingsPageLockscreen
      Glance screenSettingsPageGlance
      Navigation barSettingsNagivationBar
      AccountsSettingsPageGroupAccounts
      Your infoSettingsPageAccountsPicture
      Sign-in optionsSettingsPageAccountsSignInOptions
      Email & app accountsSettingsPageAccountsEmailApp
      Access work or schoolSettingsPageWorkAccess
      Sync your settingsSettingsPageAccountsSync

      Apps corner

      -

      (disabled in Assigned Access)

      		SettingsPageAppsCorner
      Time & languageSettingsPageGroupTimeRegion
      Date & timeSettingsPageTimeRegionDateTime
      LanguageSettingsPageTimeLanguage
      RegionSettingsPageTimeRegion
      KeyboardSettingsPageKeyboard
      SpeechSettingsPageSpeech
      Ease of accessSettingsPageGroupEaseOfAccess
      NarratorSettingsPageEaseOfAccessNarrator
      MagnifierSettingsPageEaseOfAccessMagnifier
      High contrastSettingsPageEaseOfAccessHighContrast
      Closed captionsSettingsPageEaseOfAccessClosedCaptioning
      More optionsSettingsPageEaseOfAccessMoreOptions
      PrivacySettingsPageGroupPrivacy
      LocationSettingsPagePrivacyLocation
      CameraSettingsPagePrivacyWebcam
      MicrophoneSettingsPagePrivacyMicrophone
      MotionSettingsPagePrivacyMotionData
      NotificationsSettingsPagePrivacyNotifications
      Speech. inking, & typingSettingsPagePrivacyPersonalization
      Account infoSettingsPagePrivacyAccountInfo
      ContactsSettingsPagePrivacyContacts
      CalendarSettingsPagePrivacyCalendar
      Phone callsSettingsPagePrivacyPhoneCall
      Call historySettingsPagePrivacyCallHistory
      EmailSettingsPagePrivacyEmail
      MessagingSettingsPagePrivacyMessaging
      RadiosSettingsPagePrivacyRadios
      Continue App ExperiencesSettingsPagePrivacyCDP
      Background appsSettingsPagePrivacyBackgroundApps
      Accessory appsSettingsPageAccessories
      Advertising IDSettingsPagePrivacyAdvertisingId
      Other devicesSettingsPagePrivacyCustomPeripherals
      Feedback and diagnosticsSettingsPagePrivacySIUFSettings
      Update and securitySettingsPageGroupRestore
      Phone updateSettingsPageRestoreMusUpdate
      Windows Insider ProgramSettingsPageFlights
      Device encryptionSettingsPageGroupPCSystemDeviceEncryption
      BackupSettingsPageRestoreOneBackup
      Find my phoneSettingsPageFindMyDevice
      For developersSettingsPageSystemDeveloperOptions
      OEMSettingsPageGroupExtensibility
      ExtensibilitySettingsPageExtensibility
      - -  - -## Quick actions lockdown - - -Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional. - -You can specify the quick actions as follows: - -```xml - - - - - - - - - - - - - - - - - - -``` - - - -  - -## Related topics - - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  \ No newline at end of file diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md deleted file mode 100644 index 858de39174..0000000000 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ /dev/null @@ -1,393 +0,0 @@ ---- -title: Start layout XML for mobile editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions. -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp ---- - -# Start layout XML for mobile editions of Windows 10 (reference) - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - - -On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. - -On Windows 10 Mobile, the customized Start works by: - -- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region. -- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten. -- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen. - -## Default Start layouts - -The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. - -![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png) - -The diagrams show: - -- Tile coordinates - These are determined by the row number and the column number. -- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up. -- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are: - - Rows 6-9 - - Rows 16-19 - -## LayoutModification XML - -IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file: ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
      xmlns:defaultlayout
      xmlns:start
      Version | Use to describe the changes to the default Start layout. | -| DefaultLayoutOverride

      Parent:
      LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. | -| StartLayoutCollection

      Parent:
      DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. | -| StartLayout

      Parent:
      StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. | -| start:Group

      Parent:
      StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. | -| start:Tile

      Parent:
      start:Group | AppUserModelID
      Size
      Row
      Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. | -| start:SecondaryTile

      Parent:
      start:Group | AppUserModelID
      TileID
      Arguments
      DisplayName
      Square150x150LogoUri
      ShowNameOnSquare150x150Logo
      ShowNameOnWide310x150Logo
      Wide310x150LogoUri
      BackgroundColor
      ForegroundText
      IsSuggestedApp
      Size
      Row
      Column | Use to pin a Web link through a Microsoft Edge secondary tile. | -| start:PhoneLegacyTile

      Parent:
      start:Group | ProductID
      Size
      Row
      Column | Use to add a mobile app that has a valid **ProductID** attribute. | -| start:Folder

      Parent:
      start:Group | Name
      Size
      Row
      Column | Use to add a folder to the mobile device's Start screen. | -| RequiredStartTiles

      Parent:
      LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. | - -### start:Group - -**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group. - ->[!NOTE] ->Windows 10 Mobile only supports one Start group. - - For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements: - -- **start:Tile** -- **start:SecondaryTile** -- **start:PhoneLegacyTile** -- **start:Folder** - -### Specify Start tiles - -To pin tiles to Start, you must use the right kind of tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.
      - 1x1 - small tile
      - 2x2 - medium tile
      - 4x2 - wide tile
      - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - -#### start:Tile - -You can use the **start:Tile** tag to pin a Universal Windows app to Start. - -To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - -```XML - -``` - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - - Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app. - -#### start:PhoneLegacyTile - -You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app. - -The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag: - -```XML - -``` - -#### start:Folder - -You can use the **start:Folder** tag to add a folder to the mobile device's Start screen. - -You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**. - -Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string. - -The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder: - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. - -The following example shows how to add a medium folder that contains two apps inside it: - -```XML - - - - -``` - -#### RequiredStartTiles - -You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. - ->[!NOTE] ->Enabling this Start customization may be disruptive to the user experience. - -For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**. - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. -- Folder - Use to pin a folder to the mobile device's Start screen. - -Tiles specified within the **RequiredStartTiles** tag have the following behavior: - -- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen. -- If there’s a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen. - -The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated. - -- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed. -- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps. - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile: - -```XML - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings. - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can: -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles. - -## Add the LayoutModification.xml file to the image - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device: - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. -2. In the middle pane, click **Browse** to open File Explorer. -3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - - - - - - - - - - - - - - - - - - - -## Related topics - - -- [Manage Windows 10 Start layout options](../windows-10-start-layout-options-and-policies.md) -- [Configure Windows 10 taskbar](../configure-windows-10-taskbar.md) -- [Customize Windows 10 Start and taskbar with Group Policy](../customize-windows-10-start-screens-by-using-group-policy.md) -- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start with mobile device management (MDM)](../customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Group Policy settings for Windows 10 Start](../changes-to-start-policies-in-windows-10.md) -- [Start layout XML for desktop editions of Windows 10 (reference)](../start-layout-xml-desktop.md) - -  - -  - - - - - diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 65eac1c2a8..05bf795440 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -70,8 +70,6 @@ When a CSP is available but is not explicitly included in your MDM solution, you ### CSPs in Lockdown XML -Starting with Windows 10 version 1703, you can use the [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML. - ## How do you use the CSP documentation? All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index f4325299ce..49a51ea3c2 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -159,7 +159,5 @@ After you're done, click **Create**. It only takes a few seconds. When the packa - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md) -- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 68cfcc37af..cc911deee6 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -194,8 +194,6 @@ For details about the settings you can customize in provisioning packages, see [ - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md) -- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 182d0e0207..976d93c4b8 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -203,7 +203,5 @@ For details about the settings you can customize in provisioning packages, see [ - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md) -- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index b7a5d07216..0a4cc16ed5 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -43,7 +43,6 @@ Windows Configuration Designer is available as an [app in the Microsoft Store](h - ## Benefits of provisioning packages diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 49a2494418..64b68fb707 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -1,6 +1,6 @@ --- title: Start layout XML for desktop editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. +description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage @@ -28,9 +28,9 @@ On Windows 10 for desktop editions, the customized Start works by: - Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. - Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: - - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles. - - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. - - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). + - Two groups that are six columns wide, or equivalent to the width of three medium tiles. + - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. + - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows). >[!NOTE] >To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). @@ -78,18 +78,18 @@ The following table lists the supported elements and attributes for the LayoutMo | [RequiredStartGroups](#requiredstartgroups)

      Parent:
      RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | | [AppendGroup](#appendgroup)

      Parent:
      RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | | [start:Tile](#specify-start-tiles)

      Parent:
      AppendGroup | AppUserModelID
      Size
      Row
      Column | Use to specify any of the following:
      - A Universal Windows app
      - A Windows 8 or Windows 8.1 app

      Note that AppUserModelID is case-sensitive. | -start:Folder

      Parent:
      start:Group | Name (in Windows 10, version 1809 and later only)
      Size
      Row
      Column
      LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). -| start:DesktopApplicationTile

      Parent:
      AppendGroup | DesktopApplicationID
      DesktopApplicationLinkPath
      Size
      Row
      Column | Use to specify any of the following:
      - A Windows desktop application with a known AppUserModelID
      - An application in a known folder with a link in a legacy Start Menu folder
      - A Windows desktop application link in a legacy Start Menu folder
      - A Web link tile with an associated .url file that is in a legacy Start Menu folder | +| start:Folder

      Parent:
      start:Group | Name (in Windows 10, version 1809 and later only)
      Size
      Row
      Column
      LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). | +| start:DesktopApplicationTile

      Parent:
      AppendGroup | DesktopApplicationID
      DesktopApplicationLinkPath
      Size
      Row
      Column | Use to specify any of the following:
      - A Windows desktop application with a known AppUserModelID
      - An application in a known folder with a link in a legacy Start Menu folder
      - A Windows desktop application link in a legacy Start Menu folder
      - A Web link tile with an associated `.url` file that is in a legacy Start Menu folder | | start:SecondaryTile

      Parent:
      AppendGroup | AppUserModelID
      TileID
      Arguments
      DisplayName
      Square150x150LogoUri
      ShowNameOnSquare150x150Logo
      ShowNameOnWide310x150Logo
      Wide310x150LogoUri
      BackgroundColor
      ForegroundText
      IsSuggestedApp
      Size
      Row
      Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. | -| TopMFUApps

      Parent:
      LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.

      **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | +| TopMFUApps

      Parent:
      LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.

      **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | Tile

      Parent:
      TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID.

      **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | DesktopApplicationTile

      Parent:
      TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.

      **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | -| AppendOfficeSuite

      Parent:
      LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

      Do not use this tag with AppendDownloadOfficeTile | +| AppendOfficeSuite

      Parent:
      LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

      Don't use this tag with AppendDownloadOfficeTile. | | AppendDownloadOfficeTile

      Parent:
      LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

      Do not use this tag with AppendOfficeSuite | ### LayoutOptions -New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: +New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: - Boot to tablet mode can be set on or off. - Set full screen Start on desktop to on or off. @@ -97,7 +97,7 @@ New devices running Windows 10 for desktop editions will default to a Start menu - Specify the number of columns in the Start menu to 1 or 2. To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. -The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu: +The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu: ```XML [!IMPORTANT] >For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. -You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: +You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: ```XML [!NOTE] >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in. @@ -210,7 +210,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". -- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. +- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID. @@ -230,7 +230,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. -To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. +To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: @@ -248,7 +248,7 @@ The following example shows how to create a tile of the Web site's URL, which yo #### start:SecondaryTile -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag). +You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag). The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: @@ -444,7 +444,7 @@ The following sample LayoutModification.xml shows how you can configure the Star The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md). -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. +The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. For example, if you want to ensure that there's a specific layout for a certain condition, you can: 1. Create a specific layout customization file and then name it LayoutCustomization1.xml. @@ -511,7 +511,7 @@ You must repeat this process for all variants that you want to support so that e Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. +1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting. 2. In the middle pane, click **Browse** to open File Explorer. 3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. 4. Select the file and then click **Open**. @@ -524,16 +524,6 @@ This should set the value of **StartLayout**. The setting appears in the **Selec Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. - - - - - - - - - - ## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) @@ -542,9 +532,5 @@ Once you have created the LayoutModification.xml file and it is present in the d - [Add image for secondary tiles](start-secondary-tiles.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -- [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) - - - diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 2d7577e32a..1605544834 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -35,6 +35,10 @@ For more general information, see [Configuration service provider (CSP) referenc - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` - Local setting: None +- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar) + - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat` + - Local setting: Settings > Personalization > Taskbar > Chat + ## Existing CSP policies that Windows 11 doesn't support The following list includes some of the CSP policies that aren't supported on Windows 11: diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 2e172a122e..f5ef92247d 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -19,19 +19,18 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Azure](#azure) | X | X | X | X | | -| [ComputerAccount](#computeraccount) | X | | X | | X | -| [Users](#users) | X | | X | X | | +| Setting groups | Desktop editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Azure](#azure) | ✔️ | ✔️ | ✔️ | | +| [ComputerAccount](#computeraccount) | ✔️ | ✔️ | | ✔️ | +| [Users](#users) | ✔️ | ✔️ | ✔️ | | ## Azure -The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see: +The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see: - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) -- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount @@ -43,11 +42,11 @@ Specifies the settings you can configure when joining a device to a domain, incl | Setting | Value | Description | | --- | --- | --- | -| Account | string | Account to use to join computer to domain | +| Account | String | Account to use to join computer to domain | | AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account | -| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) | -| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join | -| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | +| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) | +| DomainName | String (cannot be empty) | Specify the name of the domain that the device will join | +| Password | String (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | ## Users @@ -55,7 +54,7 @@ Use these settings to add local user accounts to the device. | Setting | Value | Description | | --- | --- | --- | -| UserName | string (cannot be empty) | Specify a name for the local user account | -| HomeDir | string (cannot be empty) | Specify the path of the home directory for the user | -| Password | string (cannot be empty) | Specify the password for the user account | -| UserGroup | string (cannot be empty) | Specify the local user group for the user | +| UserName | String (cannot be empty) | Specify a name for the local user account | +| HomeDir | String (cannot be empty) | Specify the path of the home directory for the user | +| Password | String (cannot be empty) | Specify the password for the user account | +| UserGroup | String (cannot be empty) | Specify the local user group for the user | diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md deleted file mode 100644 index fe3e097ba5..0000000000 --- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: EmbeddedLockdownProfiles (Windows 10) -description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.topic: article -ms.date: 09/06/2017 -ms.reviewer: -manager: dansimp ---- - -# EmbeddedLockdownProfiles (Windows Configuration Designer reference) - -Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles. - -## Applies to - -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| AssignedAccessXml | | X | | | | - -1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md). -2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created. - - -## Related topics - -- [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 743151817b..8ac49fc3d0 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -19,10 +19,9 @@ Use Start settings to apply a customized Start screen to devices. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| StartLayout | X | X | | | | -| StartLayoutFilePath | | X | | | | +| Setting | Desktop editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| StartLayout | X | | | | >[!IMPORTANT] >The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start). @@ -31,11 +30,3 @@ Use Start settings to apply a customized Start screen to devices. Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device. ->[!NOTE] ->The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`. - -For more information, see [Start layout XML for mobile editions of Windows 10](../mobile-devices/lockdown-xml.md)). - -## StartLayoutFilePath - -Do not use. diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index f1e1091bc6..8d75210e45 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -18,74 +18,74 @@ This section describes the settings that you can configure in [provisioning pack ## Edition that each group of settings applies to -| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -[AccountManagement](wcd-accountmanagement.md) | | | | X | | -| [Accounts](wcd-accounts.md) | X | X | X | X | X | -| [ADMXIngestion](wcd-admxingestion.md) | X | | | | | -| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | | -| [AutomaticTime](wcd-automatictime.md) | | X | | | | -| [Browser](wcd-browser.md) | X | X | X | | | -| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | | -| [Calling](wcd-calling.md) | | X | | | | -| [CellCore](wcd-cellcore.md) | X | X | | | | -| [Cellular](wcd-cellular.md) | X | | | | | -| [Certificates](wcd-certificates.md) | X | X | X | X | X | -| [CleanPC](wcd-cleanpc.md) | X | | | | | -| [Connections](wcd-connections.md) | X | X | X | | | -| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | | -| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | | | -| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | | -| [DeveloperSetup](wcd-developersetup.md) | | | | X | | -| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | | | -| [DeviceInfo](wcd-deviceinfo.md) | | X | | | | -| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | | -| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | | -| [DMClient](wcd-dmclient.md) | X | X | X | | X | -| [EditionUpgrade](wcd-editionupgrade.md) | X | X | | X | | -| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | | -| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | -| [FirstExperience](wcd-firstexperience.md) | | | | X | | -| [Folders](wcd-folders.md) |X | X | X | | | -| [InitialSetup](wcd-initialsetup.md) | | X | | | | -| [InternetExplorer](wcd-internetexplorer.md) | | X | | | | -| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | -| [Licensing](wcd-licensing.md) | X | | | | | -| [Location](wcd-location.md) | | | | | X | -| [Maps](wcd-maps.md) |X | X | X | | | -| [Messaging](wcd-messaging.md) | | X | | | | -| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | | -| [Multivariant](wcd-multivariant.md) | | X | | | | -| [NetworkProxy](wcd-networkproxy.md) | | | X | | | -| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | | X | | | -| [NFC](wcd-nfc.md) | | X | | | | -| [OOBE](wcd-oobe.md) | X | X | | | | -| [OtherAssets](wcd-otherassets.md) | | X | | | | -| [Personalization](wcd-personalization.md) | X | | | | | -| [Policies](wcd-policies.md) | X | X | X | X | X | -| [Privacy](wcd-folders.md) |X | X | X | | X | -| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | | -| [RcsPresence](wcd-rcspresence.md) | | X | | | | -| [SharedPC](wcd-sharedpc.md) | X | | | | | -| [Shell](wcd-shell.md) | | X | | | | -| [SMISettings](wcd-smisettings.md) | X | | | | | -| [Start](wcd-start.md) | X | X | | | | -| [StartupApp](wcd-startupapp.md) | | | | | X | -| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X | -| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X | -| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | | -| [TabletMode](wcd-tabletmode.md) |X | X | X | | | -| [TakeATest](wcd-takeatest.md) | X | | | | | -| [TextInput](wcd-textinput.md) | | X | | | | -| [Theme](wcd-theme.md) | | X | | | | -| [Time](wcd-time.md) | X | | | | | -| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X | -| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | | X | -| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | | X | -| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | X | X | X | | | -| [WeakCharger](wcd-weakcharger.md) |X | X | X | | | -| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | | -| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | | -| [Workplace](wcd-workplace.md) |X | X | X | | X | +| Setting group | Desktop editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | | +| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | | +| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | | +| [AutomaticTime](wcd-automatictime.md) | | | | | +| [Browser](wcd-browser.md) | ✔️ | ✔️ | | | +| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | | | | +| [Calling](wcd-calling.md) | | | | | +| [CellCore](wcd-cellcore.md) | ✔️ | | | | +| [Cellular](wcd-cellular.md) | ✔️ | | | | +| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [CleanPC](wcd-cleanpc.md) | ✔️ | | | | +| [Connections](wcd-connections.md) | ✔️ | ✔️ | | | +| [ConnectivityProfiles](wcd-connectivityprofiles.md) | ✔️ | ✔️ | ✔️ | | +| [CountryAndRegion](wcd-countryandregion.md) | ✔️ | ✔️ | | | +| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | | +| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | | +| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | | +| [DeviceInfo](wcd-deviceinfo.md) | | | | | +| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | | +| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | | +| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ | +| [EditionUpgrade](wcd-editionupgrade.md) | ✔️ | | ✔️ | | +| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | | | | +| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ | +| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | | +| [Folders](wcd-folders.md) |✔️ | ✔️ | | | +| [InitialSetup](wcd-initialsetup.md) | | | | | +| [InternetExplorer](wcd-internetexplorer.md) | | | | | +| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ | +| [Licensing](wcd-licensing.md) | ✔️ | | | | +| [Location](wcd-location.md) | | | | ✔️ | +| [Maps](wcd-maps.md) |✔️ | ✔️ | | | +| [Messaging](wcd-messaging.md) | | | | | +| [ModemConfigurations](wcd-modemconfigurations.md) | | | | | +| [Multivariant](wcd-multivariant.md) | | | | | +| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | | +| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | | +| [NFC](wcd-nfc.md) | | | | | +| [OOBE](wcd-oobe.md) | ✔️ | | | | +| [OtherAssets](wcd-otherassets.md) | | | | | +| [Personalization](wcd-personalization.md) | ✔️ | | | | +| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ | +| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | | +| [RcsPresence](wcd-rcspresence.md) | | | | | +| [SharedPC](wcd-sharedpc.md) | ✔️ | | | | +| [Shell](wcd-shell.md) | | | | | +| [SMISettings](wcd-smisettings.md) | ✔️ | | | | +| [Start](wcd-start.md) | ✔️ | | | | +| [StartupApp](wcd-startupapp.md) | | | | ✔️ | +| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | ✔️ | +| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |✔️ | ✔️ | | ✔️ | +| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | | +| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | | +| [TakeATest](wcd-takeatest.md) | ✔️ | | | | +| [TextInput](wcd-textinput.md) | | | | | +| [Theme](wcd-theme.md) | | | | | +| [Time](wcd-time.md) | ✔️ | | | | +| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ | +| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ | +| [UniversalAppUninstall](wcd-universalappuninstall.md) | ✔️ | ✔️ | | ✔️ | +| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | ✔️ | ✔️ | | | +| [WeakCharger](wcd-weakcharger.md) |✔️ | ✔️ | | | +| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | ✔️ | | | | +| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✔️ | | | +| [Workplace](wcd-workplace.md) |✔️ | ✔️ | | ✔️ | diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 18817d1d38..1d1df993e0 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -15,9 +15,8 @@ href: update/quality-updates.md - name: Basics of Windows updates, channels, and tools href: update/get-started-updates-channels-tools.md - - name: Servicing the Windows 10 operating system + - name: Prepare servicing strategy for Windows client updates href: update/waas-servicing-strategy-windows-10-updates.md - - name: Deployment proof of concept items: - name: Demonstrate Autopilot deployment on a VM @@ -47,15 +46,13 @@ href: update/plan-determine-app-readiness.md - name: Define your servicing strategy href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates + - name: Delivery Optimization for Windows client updates href: update/waas-delivery-optimization.md items: - name: Using a proxy with Delivery Optimization href: update/delivery-optimization-proxy.md - name: Delivery Optimization client-service communication href: update/delivery-optimization-workflow.md - - name: Best practices for feature updates on mission-critical devices - href: update/feature-update-mission-critical.md - name: Windows 10 deployment considerations href: planning/windows-10-deployment-considerations.md - name: Windows 10 infrastructure requirements @@ -79,15 +76,15 @@ items: - name: Prepare for Windows 11 href: /windows/whats-new/windows-11-prepare - - name: Prepare to deploy Windows 10 updates + - name: Prepare to deploy Windows client updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure href: update/update-policies.md - name: Update Baseline href: update/update-baseline.md - - name: Set up Delivery Optimization for Windows 10 updates + - name: Set up Delivery Optimization for Windows client updates href: update/waas-delivery-optimization-setup.md - - name: Configure BranchCache for Windows 10 updates + - name: Configure BranchCache for Windows client updates href: update/waas-branchcache.md - name: Prepare your deployment tools items: @@ -97,8 +94,6 @@ href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md - name: Build a successful servicing strategy items: - - name: Build deployment rings for Windows 10 updates - href: update/waas-deployment-rings-windows-10-updates.md - name: Check release health href: update/check-release-health.md - name: Prepare updates using Windows Update for Business @@ -121,7 +116,7 @@ - name: Replace a device href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md - name: In-place upgrade - href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md + href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md - name: Deploy Windows client with MDT items: - name: Deploy to a new device @@ -134,15 +129,15 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10 Subscription Activation + - name: Windows 10/11 Subscription Activation href: windows-10-subscription-activation.md - - name: Windows 10 Enterprise E3 in CSP + - name: Windows 10/11 Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - name: Configure VDA for Subscription Activation href: vda-subscription-activation.md - - name: Deploy Windows 10 Enterprise licenses + - name: Deploy Windows 10/11 Enterprise licenses href: deploy-enterprise-licenses.md - - name: Deploy Windows 10 updates + - name: Deploy Windows client updates items: - name: Assign devices to servicing channels href: update/waas-servicing-channels-windows-10-updates.md @@ -154,22 +149,18 @@ href: update/waas-manage-updates-wsus.md - name: Deploy updates with Group Policy href: update/waas-wufb-group-policy.md - - name: Update Windows 10 media with Dynamic Update + - name: Update Windows client media with Dynamic Update href: update/media-dynamic-update.md - name: Migrating and acquiring optional Windows content href: update/optional-content.md - name: Safeguard holds href: update/safeguard-holds.md - - name: Manage the Windows 10 update experience + - name: Manage the Windows client update experience items: - name: Manage device restarts after updates href: update/waas-restart.md - name: Manage additional Windows Update settings - href: update/waas-wu-settings.md - - name: Deploy feature updates during maintenance windows - href: update/feature-update-maintenance-window.md - - name: Deploy feature updates for user-initiated installations - href: update/feature-update-user-install.md + href: update/waas-wu-settings.md - name: Use Windows Update for Business items: - name: What is Windows Update for Business? @@ -189,7 +180,7 @@ href: update/waas-wufb-group-policy.md - name: 'Walkthrough: use Intune to configure Windows Update for Business' href: update/deploy-updates-intune.md - - name: Monitor Windows 10 updates + - name: Monitor Windows client updates items: - name: Monitor Delivery Optimization href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization @@ -238,7 +229,7 @@ items: - name: Resolve upgrade errors items: - - name: Resolve Windows 10 upgrade errors + - name: Resolve Windows client upgrade errors href: upgrade/resolve-windows-10-upgrade-errors.md - name: Quick fixes href: upgrade/quick-fixes.md @@ -254,7 +245,7 @@ href: upgrade/log-files.md - name: Resolution procedures href: upgrade/resolution-procedures.md - - name: Submit Windows 10 upgrade errors + - name: Submit Windows client upgrade errors href: upgrade/submit-errors.md - name: Troubleshoot Windows Update items: @@ -275,9 +266,9 @@ items: - name: How does Windows Update work? href: update/how-windows-update-works.md - - name: Windows 10 upgrade paths + - name: Windows client upgrade paths href: upgrade/windows-10-upgrade-paths.md - - name: Windows 10 edition upgrade + - name: Windows client edition upgrade href: upgrade/windows-10-edition-upgrades.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md @@ -289,11 +280,11 @@ href: update/waas-wu-settings.md - name: Delivery Optimization reference href: update/waas-delivery-optimization-reference.md - - name: Windows 10 in S mode + - name: Windows client in S mode href: s-mode.md - - name: Switch to Windows 10 Pro or Enterprise from S mode + - name: Switch to Windows client Pro or Enterprise from S mode href: windows-10-pro-in-s-mode.md - - name: Windows 10 deployment tools + - name: Windows client deployment tools items: - name: Windows client deployment scenarios and tools items: @@ -580,5 +571,5 @@ - name: "Appendix: Information sent to Microsoft during activation " href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md - - name: Install fonts in Windows 10 + - name: Install fonts in Windows client href: windows-10-missing-fonts.md diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1101efd400..9b4d7283c3 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,10 +1,10 @@ --- -title: Deploy Windows 10 Enterprise licenses +title: Deploy Windows 10/11 Enterprise licenses ms.reviewer: manager: laurawi ms.audience: itpro ms.author: greglin -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy @@ -16,18 +16,18 @@ author: greg-lindsay ms.topic: article --- -# Deploy Windows 10 Enterprise licenses +# Deploy Windows 10/11 Enterprise licenses -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ->* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. +> [!NOTE] +> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. +> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing. ->[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> [!IMPORTANT] +> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. > >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". @@ -50,24 +50,17 @@ If you are an EA customer with an existing Office 365 tenant, use the following - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. - -1. The admin can now assign subscription licenses to users. +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - 2. Click **Subscriptions**. - 3. Click **Online Services Agreement List**. - 4. Enter your agreement number, and then click **Search**. - 5. Click the **Service Name**. - 6. In the **Subscription Contact** section, click the name listed under **Last Name**. - 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -76,9 +69,9 @@ Also in this article: ## Active Directory synchronization with Azure AD -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -91,16 +84,16 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> [!NOTE] +> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: > [!div class="mx-imgBorder"] > ![profile.](images/al01.png) @@ -121,11 +114,11 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? -### Step 1: Join Windows 10 Pro devices to Azure AD +### Step 1: Join Windows 10/11 Pro devices to Azure AD -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. +Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. **To join a device to Azure AD the first time the device is started** @@ -176,16 +169,15 @@ Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +> [!IMPORTANT] +> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
      Windows 10 Pro activated
      Figure 7a - Windows 10 Pro activation in Settings -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - +Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account @@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b ### Step 4: Verify that Enterprise edition is enabled -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. +You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
      Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** +If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T +> [!NOTE] +> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +> Name: Windows(R), Professional edition +> Description: Windows(R) Operating System, RETAIL channel +> Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: +In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml index 06bf59500f..f47a156a14 100644 --- a/windows/deployment/deploy-windows-cm/TOC.yml +++ b/windows/deployment/deploy-windows-cm/TOC.yml @@ -25,4 +25,4 @@ - name: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager href: replace-a-windows-7-client-with-windows-10-using-configuration-manager.md - name: Perform an in-place upgrade to Windows 10 using Configuration Manager - href: upgrade-to-windows-10-with-configuraton-manager.md + href: upgrade-to-windows-10-with-configuration-manager.md diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 43b188d08e..34244e4af1 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -201,7 +201,7 @@ When the process is complete, you will have a new Windows 10 computer in your do ![User data and setting restored example 8.](../images/pc0006h.png)
      ![User data and setting restored example 9.](../images/pc0006i.png) -Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md). +Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuration-manager.md). ## Related topics diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md similarity index 99% rename from windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md rename to windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index da8eb45f78..dc7ae9b53f 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -135,8 +135,6 @@ On **PC0004**: ![Upgrade task sequence example 6.](../images/pc0004-f.png)
      ![Upgrade task sequence example 7.](../images/pc0004-g.png) -In-place upgrade with Configuration Manager - ## Related topics [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
      diff --git a/windows/deployment/deploy-windows-mdt/TOC.yml b/windows/deployment/deploy-windows-mdt/TOC.yml index 51493a1083..3f4a5f1d0d 100644 --- a/windows/deployment/deploy-windows-mdt/TOC.yml +++ b/windows/deployment/deploy-windows-mdt/TOC.yml @@ -1,23 +1,23 @@ -- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) +- name: Deploy Windows 11 with the Microsoft Deployment Toolkit (MDT) items: - name: Get started with MDT href: get-started-with-the-microsoft-deployment-toolkit.md - - name: Deploy Windows 10 with MDT + - name: Deploy Windows 11 with MDT items: - name: Prepare for deployment with MDT href: prepare-for-windows-deployment-with-mdt.md - - name: Create a Windows 10 reference image - href: create-a-windows-10-reference-image.md - - name: Deploy a Windows 10 image using MDT - href: deploy-a-windows-10-image-using-mdt.md - - name: Build a distributed environment for Windows 10 deployment - href: build-a-distributed-environment-for-windows-10-deployment.md - - name: Refresh a Windows 7 computer with Windows 10 - href: refresh-a-windows-7-computer-with-windows-10.md - - name: Replace a Windows 7 computer with a Windows 10 computer - href: replace-a-windows-7-computer-with-a-windows-10-computer.md - - name: Perform an in-place upgrade to Windows 10 with MDT - href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md + - name: Create a Windows 11 reference image + href: create-a-windows-11-reference-image.md + - name: Deploy a Windows 11 image using MDT + href: deploy-a-windows-11-image-using-mdt.md + - name: Build a distributed environment for Windows 11 deployment + href: build-a-distributed-environment-for-windows-deployment.md + - name: Refresh a Windows 10 computer with Windows 11 + href: refresh-a-windows-10-computer-with-windows-11.md + - name: Replace a Windows 10 computer with a Windows 11 computer + href: replace-a-windows-10-computer-with-a-windows-11-computer.md + - name: Perform an in-place upgrade to Windows 11 with MDT + href: upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md - name: Customize MDT items: - name: Configure MDT settings @@ -28,10 +28,10 @@ href: configure-mdt-deployment-share-rules.md - name: Configure MDT for UserExit scripts href: configure-mdt-for-userexit-scripts.md - - name: Simulate a Windows 10 deployment in a test environment - href: simulate-a-windows-10-deployment-in-a-test-environment.md - - name: Use the MDT database to stage Windows 10 deployment information - href: use-the-mdt-database-to-stage-windows-10-deployment-information.md + - name: Simulate a Windows 11 deployment in a test environment + href: simulate-a-windows-11-deployment-in-a-test-environment.md + - name: Use the MDT database to stage Windows deployment information + href: use-the-mdt-database-to-stage-windows-deployment-information.md - name: Assign applications using roles in MDT href: assign-applications-using-roles-in-mdt.md - name: Use web services in MDT diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index 427daf44e9..21bf379b8e 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10) description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: settings, database, deploy ms.prod: w10 @@ -18,6 +18,10 @@ ms.topic: article # Assign applications using roles in MDT +**Applies to** +- Windows 10 +- Windows 11 + This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. ## Create and assign a role entry in the database diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md similarity index 86% rename from windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md rename to windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md index 06399d410a..b47530ab45 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md @@ -1,12 +1,12 @@ --- -title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. +title: Build a distributed environment for Windows 11 deployment (Windows 11) +description: In this topic, you will learn how to replicate your Windows 11 deployment shares to facilitate the deployment of Windows 11 in remote or branch locations. ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: replication, replicate, deploy, configure, remote -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,12 +16,13 @@ author: greg-lindsay ms.topic: article --- -# Build a distributed environment for Windows 10 deployment +# Build a distributed environment for Windows 11 deployment **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. +Perform the steps in this article to build a distributed environment for Windows 11 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. @@ -31,7 +32,7 @@ For the purposes of this article, we assume that MDT02 is prepared with the same Computers used in this topic. ->HV01 is also used in this topic to host the PC0006 virtual machine. +> HV01 is also used in this topic to host the PC0006 virtual machine. ## Replicate deployment shares @@ -119,7 +120,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the default gateway of client devices in your locations (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. ```ini [Settings] @@ -141,8 +142,8 @@ On **MDT01**: UserPassword=pass@word1 SkipBDDWelcome=YES ``` - >[!NOTE] - >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + > [!NOTE] + > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md) and [Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md). 2. Save the Bootstrap.ini file. 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. @@ -153,8 +154,8 @@ On **MDT01**: Replacing the updated boot image in WDS. - >[!TIP] - >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. + > [!TIP] + > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. ## Replicate the content @@ -227,7 +228,7 @@ On **MDT02**: The DFS Replication Health Report. ->If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. +> If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. ## Configure Windows Deployment Services (WDS) in a remote site @@ -250,21 +251,19 @@ Now you should have a solution ready for deploying the Windows 10 client to the 6. Install an operating system from a network-based installation server 2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. 3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + 1. Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader 4. Setup will now start and perform the following: - 1. Install the Windows 10 Enterprise operating system. + 1. Install the Windows 11 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. -![pc0001.](../images/pc0006.png) - ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
      -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
      -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
      -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
      -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
      +[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
      +[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
      +[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)
      +[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)
      [Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 8741709766..187f8fb4cc 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10) description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine. ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: rules, configuration, automate, deploy ms.prod: w10 @@ -18,6 +18,10 @@ ms.topic: article # Configure MDT deployment share rules +**Applies to** +- Windows 10 +- Windows 11 + In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 115f42408d..22a7921c84 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: rules, script ms.prod: w10 @@ -18,6 +18,10 @@ ms.topic: article # Configure MDT for UserExit scripts +**Applies to** +- Windows 10 +- Windows 11 + In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. ## Configure the rules to call a UserExit script diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 5259d8bafe..05f03ea220 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: customize, customization, deploy, features, tools ms.prod: w10 @@ -18,6 +18,10 @@ ms.topic: article # Configure MDT settings +**Applies to** +- Windows 10 +- Windows 11 + One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md similarity index 81% rename from windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md rename to windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md index 33d92b8cc9..a548b5c748 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md @@ -1,12 +1,12 @@ --- -title: Create a Windows 10 reference image (Windows 10) +title: Create a Windows 11 reference image (Windows 11) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, deployment, configure, customize, install, installation -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,22 +16,25 @@ author: greg-lindsay ms.topic: article --- -# Create a Windows 10 reference image +# Create a Windows 11 reference image **Applies to** - Windows 10 +- Windows 11 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +In this topic, you will learn how to create a Windows 11 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 11 reference image. After completing the steps outlined in this topic, you will have a Windows 11 reference image that can be used in your deployment solution. ->[!NOTE] ->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. +All procedures in this article can also be used to create a Windows 10 reference image by using Windows 10 media instead of Windows 11 media in the [Add setup files](#add-setup-files) section below. + +> [!NOTE] +> This guide assumes that you have already installed and configured deployment tools. See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information. For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. - ![devices.](../images/mdt-08-fig01.png) +  ![devices.](../images/mdt-08-fig01.png) Computers used in this topic. @@ -45,19 +48,20 @@ The reference image described in this guide is designed primarily for deployment ## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10 and Windows 11, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 11 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin this to the taskbar for easy access. +- Start the MDT deployment workbench, and pin the console to the taskbar for easy access. + - If it is your first time starting the console, search for **Deployment Workbench**. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** - Share name: **MDTBuildLab$** - - Deployment share description: **MDT Build Lab** + - Descriptive name: **MDT Build Lab** - Accept the default selections on the Options page and click **Next**. - Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**. - Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. @@ -68,7 +72,7 @@ On **MDT01**: ### Enable monitoring -To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. +To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share in the Deployment Workbench, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. ### Configure permissions for the deployment share @@ -86,34 +90,41 @@ On **MDT01**: ## Add setup files -This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. +This section will show you how to populate the MDT deployment share with the Windows 11 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. -### Add the Windows 10 installation files +### Add the Windows 11 installation files -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 11 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. ->[!NOTE] ->Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. +> [!NOTE] +> Windows 11 media is pre-release as of the date this article was last updated. To obtain Windows 11 pre-release media, join the Windows Insider program and visit [Windows Insider Preview Downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewiso).
      +> The build selected in this example is **Windows 11 Insider Preview Enterprise (Dev Channel) - Build 22454**. -### Add Windows 10 Enterprise x64 (full source) +### Add Windows 11 Enterprise x64 (full source) On **MDT01**: -1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD. +1. Sign in as **contoso\\administrator** and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD. ![ISO.](../images/iso-data.png) 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**. +4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - Full set of source files - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM -5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. + - Destination directory name: W11EX64 + + > [!NOTE] + > Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W11EX64 rather than a more descriptive name like Windows 11 Enterprise x64.

      + > Depending on the DVD or ISO you used, there might be multiple editions added by the import process. For the purposes of this guide, we are using the Windows 11 Enterprise image, but other images will also work. In the example shown, editions that will not be used are deleted from the list. + +5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**. See the following example. ![Default image.](../images/deployment-workbench01.png) ->Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. + > [!NOTE] + > The pre-release version of Windows 11 used here has "Windows 10" in the description. You can ignore this. ## Add applications @@ -297,7 +308,7 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. +In order to build and capture your Windows 11 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 11 reference image. After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. ### Drivers and the reference image @@ -306,31 +317,31 @@ Because we use modern virtual platforms for creating our reference images, we do ### Create a task sequence for Windows 10 Enterprise -To create a Windows 10 reference image task sequence, the process is as follows: +To create a Windows 11 reference image task sequence, the process is as follows: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: REFW10X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 11**. +2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: REFW11X64-001 + 2. Task sequence name: Windows 11 Enterprise x64 Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Default Image + 5. Select OS: Windows 11 Enterprise x64 Default Image 6. Specify Product Key: Do not specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso - 9. Internet Explorer home page: http://www.contoso.com + 9. Internet Explorer home page: https://www.contoso.com 10. Admin Password: Do not specify an Administrator Password at this time -### Edit the Windows 10 task sequence +### Edit the Windows 11 task sequence The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64. On **MDT01**: -1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: +1. In the **Task Sequences / Windows 11** folder, right-click the **Windows 11 Enterprise x64 Default Image** task sequence, and select **Properties**. +2. On the **Task Sequence** tab, configure the Windows 11 Enterprise x64 Default Image task sequence with the following settings: 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. @@ -340,7 +351,7 @@ On **MDT01**: - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 10 + 2. Select the operating system for which roles are to be installed: Windows 10 (this also works for Windows 11) 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] @@ -353,7 +364,7 @@ On **MDT01**: 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** - 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. + 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus - x64 as well. 3. Click **OK**. ![apps.](../images/mdt-apps.png) @@ -385,26 +396,18 @@ Follow these steps to configure Internet Explorer settings in Unattend.xml for t On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 11 Enterprise x64 Default Image** task sequence and select **Properties**. 2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - - > [!IMPORTANT] - > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: - > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. - 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true -5. Save the Unattend.xml file, and close Windows SIM. - - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. -6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. +5. Save the Answer File, and close Windows SIM. + - Note: If validation errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. +6. On the Windows 11 Enterprise x64 Default Image Properties, click **OK**. ![figure 10.](../images/fig10-unattend.png) - Windows System Image Manager with the Windows 10 Unattend.xml. + Windows System Image Manager with the Windows 11 Unattend.xml. ## Configure the MDT deployment share rules @@ -475,7 +478,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word1) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -606,11 +609,11 @@ SkipFinalSummary=YES - **SkipCapture.** Skips the Capture pane. - **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down. -## Build the Windows 10 reference image +## Build the Windows 11 reference image As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you have created your task sequence, you are ready to create the Windows 11 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -621,56 +624,67 @@ The steps below outline the process used to boot a virtual machine using an ISO On **HV01**: 2. Create a new virtual machine with the following settings: - 1. Name: REFW10X64-001 + 1. Name: REFW11X64-001 2. Store the virtual machine in a different location: C:\VM 3. Generation 1 4. Memory: 1024 MB 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ 7. Hard disk: 60 GB (dynamic disk) 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso -1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. +1. Before you start the VM, add a checkpoint for REFW11X64-001, and name it **Clean with MDT Build Lab x86 ISO**. **Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean. -4. Start the REFW10X64-001 virtual machine and connect to it. +4. Start the REFW11X64-001 virtual machine and connect to it. - **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + > [!IMPORTANT] + > Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW11X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share, and optionally the WSUS server on your network. A connection to the Internet is also used to download and updates during the image creation process. In the current scenario, this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, with a 10.10.10.1 gateway, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11, and also connect to external networks.

      + > If you receive a message that "A connection to the deployment share could not be made, check that the DHCP service is available to the REFW11X64-001 VM, and it has been issued a valid IP address lease (check your DHCP server). - After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image - 2. Specify whether to capture an image: Capture an image of this reference computer - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - 3. File name: REFW10X64-001.wim +5. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: + - Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Default Image + - Specify whether to capture an image: Capture an image of this reference computer + - Location: \\\\MDT01\\MDTBuildLab$\\Captures + - File name: REFW11X64-001.wim - ![capture image.](../images/captureimage.png) + ![capture image.](../images/captureimage.png) - The Windows Deployment Wizard for the Windows 10 reference image. + The Windows Deployment Wizard for the Windows 11 reference image. -5. The setup now starts and does the following: - 1. Installs the Windows 10 Enterprise operating system. - 2. Installs the added applications, roles, and features. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. - 4. Stages Windows PE on the local disk. - 5. Runs System Preparation (Sysprep) and reboots into Windows PE. - 6. Captures the installation to a Windows Imaging (WIM) file. - 7. Turns off the virtual machine. +The image creation process starts and does the following: + 1. Installs the Windows 11 Enterprise operating system. + 2. Installs the added applications, roles, and features. + 3. Updates the operating system via your local Windows Server Update Services (WSUS) server (if provisioned). + 4. Stages Windows PE on the local disk. + 5. Runs System Preparation (Sysprep) and reboots into Windows PE. + 6. Captures the installation to a Windows Imaging (WIM) file. + 7. Turns off the virtual machine. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time (30-90 minutes depending on resources available), you will have a Windows 11 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is **REFW11X64-001.wim**. ![image.](../images/image-captured.png) ## Troubleshooting -> [!IMPORTANT] -> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This - If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If monitoring is not working, check that http://localhost:9801/MDTMonitorData/ loads on MDT01, and try turning monitoring off and on again. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. An example is shown below. + +```cmd +X:\>net use G: \\mdt01\c$\tmp /user:contoso\administrator pass@word1 +The command completed successfully. + +X:\>copy X:\MININT\SMSOSD\OSDLOGS\*.log G: + 6 files copied. +X:\>copp X:\Windows\Temp\SMSTSLog\smsts.log G: + 1 file copied. +``` + +If you have trouble connecting to the deployment share, verify that your DHCP server (DC01 in this lab) has issued a lease to the VM. The DHCP client name will be something like minint-p1st75s.contoso.com. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md similarity index 88% rename from windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md rename to windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md index b6a311471f..435f937e56 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md @@ -1,12 +1,12 @@ --- -title: Deploy a Windows 10 image using MDT (Windows 10) -description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +title: Deploy a Windows 11 image using MDT (Windows 11) +description: This topic will show you how to take your reference image for Windows 11, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deployment, automate, tools, configure -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,12 +16,13 @@ author: greg-lindsay ms.topic: article --- -# Deploy a Windows 10 image using MDT +# Deploy a Windows 11 image using MDT **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 11 [that was just created](create-a-windows-11-reference-image.md), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. @@ -30,7 +31,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 an - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- PC0005 is a blank device to which we will deploy Windows 11 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -89,11 +90,8 @@ The steps for creating the deployment share for production are the same as when 1. Ensure you are signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. - 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. - 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. - 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. @@ -113,26 +111,22 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 11. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10/11 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. -### Add the Windows 10 Enterprise x64 RTM custom image +### Add the Windows 11 Enterprise x64 custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you have completed the steps in the [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) topic, so you have a Windows 11 reference image at **D:\\MDTBuildLab\\Captures\REFW11X64-001.wim** on MDT01. -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 11**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. - 3. On the **OS Type** page, select **Custom image file** and click **Next**. +4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW11X64-001.wim** and click **Next**. +5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W11EX64** and click **Next**. +6. On the **Destination** page, in the **Destination directory name** text box, type **W11EX64**, click **Next** twice, and then click **Finish**. +7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 11** node and change the name to **Windows 11 Enterprise x64 Custom Image**. -4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. - -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. - -6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. - ->[!NOTE] ->The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. +> [!NOTE] +> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT now uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. ![imported OS.](../images/fig2-importedos.png) @@ -145,21 +139,15 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100720091_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100720091_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. - 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. - 6. On the **Application Type** page, select the **Application with source files** option and click **Next**. - 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**. - 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**. - 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. - 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. ![acroread image.](../images/acroread.png) @@ -168,7 +156,10 @@ On **MDT01**: ## Step 5: Prepare the drivers repository -In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: +> [!IMPORTANT] +> The section below on preparing the drivers repository uses Windows 10-compatible devices and drivers as examples. These examples do not infer Windows 11 compatibility. Check with your device manufacturer before deploying drivers, and verify that the device meets Windows 11 hardware requirements. For more information, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements). + +In order to deploy Windows 10 or Windows 11 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: - Lenovo ThinkPad T420 - Dell Latitude 7390 - HP EliteBook 8560w @@ -176,8 +167,8 @@ In order to deploy Windows 10 with MDT successfully, you need drivers for the b For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. ->[!NOTE] ->You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. +> [!NOTE] +> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. ### Create the driver source structure in the file system @@ -192,8 +183,8 @@ On **MDT01**: 2. In the **D:\\drivers** folder, create the following folder structure: 1. WinPE x86 2. WinPE x64 - 3. Windows 10 x64 -3. In the new Windows 10 x64 folder, create the following folder structure: + 3. Windows 11 x64 +3. In the new Windows 11 x64 folder, create the following folder structure: - Dell Inc. - Latitude E7450 - Hewlett-Packard @@ -213,8 +204,8 @@ When you import drivers to the MDT driver repository, MDT creates a single insta 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 2. WinPE x64 - 3. Windows 10 x64 -3. In the **Windows 10 x64** folder, create the following folder structure: + 3. Windows 11 x64 +3. In the **Windows 11 x64** folder, create the following folder structure: - Dell Inc. - Latitude E7450 - Hewlett-Packard @@ -245,32 +236,28 @@ The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. -The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. +The drivers that are used for the boot images (Windows PE) are Windows 11 drivers. If you can’t locate Windows 11 drivers for your device, a Windows 10, Windows 8.1 or Windows 7 driver will most likely work, but Windows 11 drivers should be your first choice. On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. 2. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x86 + 1. Selection Profile name: **WinPE x86** 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. 3. Click **Next**, **Next** and **Finish**. 3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. 4. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x64 + 1. Selection Profile name: **WinPE x64** 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. 3. Click **Next**, **Next** and **Finish**. - ![figure 5.](../images/fig5-selectprofile.png) - - Creating the WinPE x64 selection profile. - ### Extract and import drivers for the x64 boot image Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: -1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). +1. Download **PROWinx64.exe** from Intel.com (ex: [Intel® Network Adapter Driver](https://www.intel.com/content/www/us/en/download/16765/intel-network-adapter-driver-for-windows-8-final-release.html)). 2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. 3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. @@ -292,11 +279,11 @@ In this example, we assume you have downloaded and extracted the drivers using T On **MDT01**: -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Lenovo** node. 2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** + **D:\\Drivers\\Windows 11 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. @@ -308,29 +295,29 @@ In these steps, we assume you have downloaded and extracted the CAB file for the On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Dell Inc.** node. 2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450** + **D:\\Drivers\\Windows 11 x64\\Dell Inc.\\Latitude E7450** ### For the HP EliteBook 8560w For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Hewlett-Packard** node. 2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** + **D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w** ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -338,40 +325,40 @@ On **MDT01**: 2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + **D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop** ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 11 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. -### Create a task sequence for Windows 10 Enterprise +### Create a task sequence for Windows 11 Enterprise On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. +1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 11**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image +2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W11-X64-001 + - Task sequence name: Windows 11 Enterprise x64 Custom Image - Task sequence comments: Production Image - Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Custom Image + - Select OS: Windows 11 Enterprise x64 Custom Image - Specify Product Key: Do not specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: https://www.contoso.com - Admin Password: Do not specify an Administrator Password at this time -### Edit the Windows 10 task sequence +### Edit the Windows 11 task sequence -1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. +1. Continuing from the previous procedure, right-click the **Windows 11 Enterprise x64 Custom Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: +2. On the **Task Sequence** tab, configure the **Windows 11 Enterprise x64 Custom Image** task sequence with the following settings: 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% + 3. Value: Windows 11 x64\\%Manufacturer%\\%Model% 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing @@ -486,7 +473,7 @@ On **MDT01**: 11. Click **OK**. >[!NOTE] - >It will take a while for the Deployment Workbench to create the monitoring database and web service. + >It might take a while for the Deployment Workbench to create the monitoring database and web service. ![figure 8.](../images/mdt-07-fig08.png) @@ -617,13 +604,13 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee >[!NOTE] >The update process will take 5 to 10 minutes. -## Step 8: Deploy the Windows 10 client image +## Step 8: Deploy the Windows 11 client image These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. ### Configure Windows Deployment Services -You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article. +You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-wds) article. On **MDT01**: @@ -637,7 +624,7 @@ On **MDT01**: The boot image added to the WDS console. -### Deploy the Windows 10 client +### Deploy the Windows 11 client At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: @@ -667,9 +654,9 @@ On **HV01**: 4. Setup now begins and does the following: - - Installs the Windows 10 Enterprise operating system. + - Installs the Windows 11 Enterprise operating system. - Installs the added application. - - Updates the operating system via your local Windows Server Update Services (WSUS) server. + - Updates the operating system via your local Windows Server Update Services (WSUS) server (if configured). ![pc0005 image1.](../images/pc0005-vm.png) @@ -727,9 +714,9 @@ On **MDT01**: The newly created multicast namespace. -## Use offline media to deploy Windows 10 +## Use offline media to deploy Windows 11 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 11. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. @@ -748,10 +735,10 @@ On **MDT01**: - Folders - Applications / Adobe - - Operating Systems / Windows 10 + - Operating Systems / Windows 11 - Out-Of-Box Drivers / WinPE x64 - - Out-Of-Box Drivers / Windows 10 x64 - - Task Sequences / Windows 10 + - Out-Of-Box Drivers / Windows 11 x64 + - Task Sequences / Windows 11 ![offline media.](../images/mdt-offline-media.png) @@ -769,7 +756,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 3. Use the following settings for the New Media Wizard: - General Settings - Media path: **D:\\MDTOfflineMedia** - - Selection profile: **Windows 10 Offline Media** + - Selection profile: **Windows 11 Offline Media** ### Configure the offline media @@ -783,7 +770,7 @@ On **MDT01**: 3. In the **General** tab, configure the following: - Clear the Generate x86 boot image check box. - - ISO file name: Windows 10 Offline Media.iso + - ISO file name: Windows 11 Offline Media.iso 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. @@ -816,15 +803,10 @@ The ISO that you got when updating the offline media item can be burned to a DVD Follow these steps to create a bootable USB stick from the offline media content: 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. - 2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. - 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. - 4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. - 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). - 6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index dc5907ae88..0d0b8199c5 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,9 +1,9 @@ --- -title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) +title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10/11) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, image, feature, install, tools ms.prod: w10 @@ -20,6 +20,7 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -29,14 +30,14 @@ MDT is a unified collection of tools, processes, and guidance for automating des In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 11, as well as Windows 7, Windows 8.1, Windows 10, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). ## Key features in MDT MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: -- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. +- **Windows Client support.** Supports Windows 7, Windows 8.1, Windows 10, and Windows 11. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. - **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. @@ -68,11 +69,11 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, Windows 8.1, and Windows 10 systems directly to Windows 11, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 11. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 97d1ca6701..bd9599c6e4 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,12 +1,12 @@ --- -title: Prepare for deployment with MDT (Windows 10) -description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). +title: Prepare for deployment with MDT (Windows 11) +description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 11 operating system using the Microsoft Deployment Toolkit (MDT). ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, system requirements -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -19,51 +19,68 @@ ms.topic: article # Prepare for deployment with MDT **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. -## Infrastructure +This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 11 with the Microsoft Deployment Toolkit (MDT). All procedures in this guide can also be used to deploy Windows 10. For an overview of the features, components, and capabilities of MDT, see [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md). + +This article covers installation of necessary system prerequisites, creation of shared folders and service accounts, and configuration of security permissions in the file system and in Active Directory. Steps to complete the following procedures are provided: + +1. Install the Windows Assessment and Deployment Kit (ADK) +2. Install and initialize Windows Deployment Services (WDS) +3. Install MDT +4. Create an Active Directory Organizational Unit structure to support deployment +5. Create the MDT service account +6. Create and share the logs folder + +After completing these steps, you can create a [Windows 11 reference image](create-a-windows-11-reference-image.md) that will be used to deploy Windows 11. If you are installing Windows 10 instead of Windows 11, use [source media](create-a-windows-11-reference-image.md#add-setup-files) for Windows 10 instead of Windows 11 to create your reference image. + +> [!IMPORTANT] +> Before deploying Windows 11, verify that the device meets [requirements](/windows/whats-new/windows-11-requirements). + +## Infrastructure and requirements The procedures in this guide use the following names and infrastructure. -### Network and servers +#### Network and servers For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**. - All servers are running Windows Server 2019. - You can use an earlier version of Windows Server with minor modifications to some procedures. - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide. - **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. + - The DHCP scope used in this lab is 10.10.10.0/24 with a gateway of 10.10.10.1. but you can adjust the scope settings to your environment. - **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. -- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. + - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-deployment.md) for Windows 11 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. +- **HV01** is a Hyper-V host computer that is used to build a Windows 11 reference image. - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. -### Client computers +#### Client computers Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. -- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. +- **PC0001**: A computer running Windows 11 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. - Client name: PC0001 - IP Address: DHCP -- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. +- **PC0002**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. - Client name: PC0002 - IP Address: DHCP -- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. +- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 10 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. -### Storage requirements +#### Storage requirements MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. -### Hyper-V requirements +#### Hyper-V requirements -If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. +If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 8.1, Windows 10, or Windows 11 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. -### Network requirements +#### Network requirements All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. -### Domain credentials +#### Domain credentials The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. @@ -71,7 +88,7 @@ The following generic credentials are used in this guide. You should replace the **Domain administrator username**: administrator
      **Domain administrator password**: pass@word1 -### Organizational unit structure +#### Organizational unit structure The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs. @@ -84,11 +101,8 @@ These steps assume that you have the MDT01 member server running and configured On **MDT01**: Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): -- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) -- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) -- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) -- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) - - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch. +- [The Windows ADK](https://go.microsoft.com/fwlink/?linkid=2165884) +- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2166133) >[!TIP] >You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). @@ -96,12 +110,9 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a 1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain. - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. 2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. -3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. -4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. -5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. +3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully. -## Install and initialize Windows Deployment Services (WDS) +## Install and initialize WDS On **MDT01**: @@ -130,7 +141,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell >[!NOTE] >MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) +>- The Windows ADK (installed in the previous procedure) >- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) >- Microsoft .NET Framework @@ -138,8 +149,10 @@ On **MDT01**: 1. Visit the [MDT resource page](/mem/configmgr/mdt/) and click **Download MDT**. 2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. +3. Save the [MDT update](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) to D:\\Downloads\\MDT folder on MDT01. - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. -3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. +4. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. +5. If you are using MDT version 8456, download, extract, and update MDT per the instructions on [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This will update **Microsoft.BDD.Utility.dll** from version 6.3.8456.1000 to 6.3.8456.1001. ## Create the OU structure @@ -218,6 +231,8 @@ If you have the Active Directory Users and Computers console open you can refres ## Create and share the logs folder +Switch back to the MDT01 computer. + By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). On **MDT01**: @@ -250,13 +265,5 @@ After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and ## Next steps -When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). +When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 11 reference image](create-a-windows-11-reference-image.md). -## Appendix - -**Sample files** - -The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. -- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. -- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md similarity index 53% rename from windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md rename to windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md index f1aa143648..1ec5026bb1 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md @@ -1,9 +1,9 @@ --- -title: Refresh a Windows 7 computer with Windows 10 (Windows 10) -description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. +title: Refresh a Windows 10 computer with Windows 11 (Windows 11) +description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: reinstallation, customize, template, script, restore ms.prod: w10 @@ -16,17 +16,18 @@ author: greg-lindsay ms.topic: article --- -# Refresh a Windows 7 computer with Windows 10 +# Refresh a Windows 10 computer with Windows 11 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). +This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. +- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to Windows 11, with data and settings restored. The example used here is a computer running Windows 10, version 1909. Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -38,7 +39,7 @@ The computers used in this topic. A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: +For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK), to migrate user data and settings. To complete a computer refresh you will: 1. Back up data and settings locally, in a backup folder. 2. Wipe the partition, except for the backup folder. @@ -48,8 +49,8 @@ For a computer refresh with MDT, you use the User State Migration Tool (USMT), w During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. ->[!NOTE] ->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. +> [!NOTE] +> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. ### Multi-user migration @@ -57,8 +58,8 @@ By default, ScanState in USMT backs up all profiles on the machine, including lo For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* ->[!NOTE] ->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. +> [!NOTE] +> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. ### Support for additional settings @@ -68,29 +69,32 @@ In addition to the command-line switches that control which profiles to migrate, Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting. -## Refresh a Windows 7 SP1 client +## Refresh a Windows 10 client In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01: - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) +- [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md) -It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909. +It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to Windows 11. For demonstration purposes, we will refreshing a Windows 10 PC to Windows 11. + +> [!IMPORTANT] +> The computer refresh process can be used to install Windows 11 on a device that doesn't meet Windows 11 hardware requirements, resulting in an unsupported configuration. Before upgrading to Windows 11, verify that the device meets [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements). -### Upgrade (refresh) a Windows 7 SP1 client +### Upgrade (refresh) a Windows 10 client ->[!IMPORTANT] ->Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. +> [!IMPORTANT] +> Domain join details [specified in the deployment share rules](deploy-a-windows-11-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 10 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-11-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. 1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. 2. Complete the deployment guide using the following settings: - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + * Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image * Computer name: <default> * Specify where to save a complete computer backup: Do not back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. + > [!NOTE] + > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. * Select one or more applications to install: Install - Adobe Reader ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh") @@ -98,23 +102,23 @@ It is also assumed that you have a domain member client computer named PC0001 in 4. Setup starts and does the following: * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. + * Installs the Windows 11 Enterprise x64 operating system. * Installs any added applications. - * Updates the operating system using your local Windows Server Update Services (WSUS) server. + * Updates the operating system using your local Windows Server Update Services (WSUS) server (if applicable). * Restores user settings and data using USMT. 5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: ![monitor deployment.](../images/monitor-pc0001.png) -6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. +6. After the refresh process completes, sign in to the Windows 11 computer and verify that user accounts, data and settings were migrated. ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
      [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
      -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
      -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
      -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
      -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
      +[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
      +[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
      +[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)
      +[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)
      [Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md similarity index 87% rename from windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md rename to windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md index fb7cfe97e1..951872540b 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md @@ -1,13 +1,13 @@ --- -title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) -description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device. +title: Replace a Windows 10 computer with a Windows 11 computer (Windows 11) +description: In this article, you will learn how to replace a Windows 10 device with a Windows 11 device. ms.custom: seo-marvel-apr2020 ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, deployment, replace -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -17,18 +17,19 @@ author: greg-lindsay ms.topic: article --- -# Replace a Windows 7 computer with a Windows 10 computer +# Replace a Windows 10 computer with a Windows 11 computer **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. +A computer replace scenario for Windows 11 is quite similar to a computer refresh for Windows 11. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. -- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. +- PC0002 is an old computer running Windows 10 that will be replaced by PC0007. +- PC0007 is a new computer will have the Windows 11 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -96,8 +97,8 @@ On **PC0002**: * Specify where to save your data and settings: Specify a location * Location: \\\\MDT01\\MigData$\\PC0002 - >[!NOTE] - >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. + > [!NOTE] + > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. 2. Specify where to save a complete computer backup: Do not back up the existing computer @@ -155,11 +156,12 @@ You can view progress of the process by clicking the Monitoring node in the Depl ![Monitor progress.](../images/mdt-replace.png) + ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
      -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
      -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
      -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
      -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
      +[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
      +[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
      +[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)
      +[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)
      [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 8d2743cfa3..481df59b4a 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -2,7 +2,7 @@ title: Set up MDT for BitLocker (Windows 10) ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. keywords: disk, encryption, TPM, configure, secure, script @@ -19,6 +19,10 @@ ms.custom: seo-marvel-mar2020 # Set up MDT for BitLocker +**Applies to** +- Windows 10 +- Windows 11 + This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: - A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md similarity index 74% rename from windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md rename to windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md index 4ec7b22c9d..877add3082 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md @@ -1,12 +1,12 @@ --- -title: Simulate a Windows 10 deployment in a test environment (Windows 10) -description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. +title: Simulate a Windows 11 deployment in a test environment (Windows 11) +description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 11 deployment using MDT. ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, script -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,7 +16,11 @@ author: greg-lindsay ms.topic: article --- -# Simulate a Windows 10 deployment in a test environment +# Simulate a Windows 11 deployment in a test environment + +**Applies to** +- Windows 10 +- Windows 11 This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client. @@ -25,15 +29,34 @@ This topic will walk you through the process of creating a simulated environment - A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. - It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + - [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) + - [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md) ## Simulate deployment On **PC0001**: 1. Sign as **contoso\\Administrator**. -2. Download the [sample Gather.ps1 script](/samples/browse/?redirectedfrom=TechNet-Gallery) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001. +2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001. + +``` +# Check for elevation +If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` + [Security.Principal.WindowsBuiltInRole] "Administrator")) +{ + Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script." + Write-Warning "Aborting script..." + Break +} + +cls +if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse} +cscript.exe ZTIGather.wsf /debug:true + +# Optional, comment out if you want the script to open the log in CMTrace +& "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log +``` + 3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. 5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**. diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index 41cd6d8006..0000000000 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,114 +0,0 @@ ---- -title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) -description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 with MDT - -**Applies to** -- Windows 10 - -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. - ->[!TIP] ->In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. - -In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. - -Three computers are used in this topic: DC01, MDT01, and PC0002. - -- DC01 is a domain controller for the contoso.com domain -- MDT01 is a domain member server -- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade - - ![computers.](../images/mdt-upgrade.png) - - The computers used in this topic. - ->[!NOTE] ->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - ->If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). - -## Create the MDT production deployment share - -On **MDT01**: - -1. Ensure you are signed on as: contoso\administrator. -2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 10 Enterprise x64 (full source) - ->If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. - -On **MDT01**: - -1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. -2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - Full set of source files - - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM -5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. - -## Create a task sequence to upgrade to Windows 10 Enterprise - -On **MDT01**: - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Do not specify a product key at this time - - Organization: Contoso - - Admin Password: Do not specify an Administrator password at this time - -## Perform the Windows 10 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). - -On **PC0002**: - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. -3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader -4. On the **Ready** tab, click **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![upgrade1.](../images/upgrademdt-fig5-winupgrade.png) - -
      - -![upgrade2.](../images/mdt-upgrade-proc.png) - -
      - -![upgrade3.](../images/mdt-post-upg.png) - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
      -[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md new file mode 100644 index 0000000000..ccbb15d9c5 --- /dev/null +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md @@ -0,0 +1,134 @@ +--- +title: Perform an in-place upgrade to Windows 11 with MDT (Windows 11) +description: The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade. +ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 +ms.reviewer: +manager: dougeby +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 11 with MDT + +**Applies to** +- Windows 10 +- Windows 11 + +The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade. + +> [!TIP] +> In-place upgrade is the preferred method to use when migrating to a newer version of the same OS, or upgrading to a new OS. This is especially true when you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. + +In-place upgrade differs from [computer refresh](refresh-a-windows-10-computer-with-windows-11.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 11 image to the production deployment share specifically to perform an in-place upgrade. + +> [!IMPORTANT] +> Windows 11 setup will block the upgrade process on devices that do not meet [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements). Be sure to verify that your device meets these requirements before attempting to upgrade to Windows 11. + +Three computers are used in this topic: DC01, MDT01, and PC0002. + +- DC01 is a domain controller for the contoso.com domain +- MDT01 is a domain member server +- PC0002 is a domain member computer running Windows 10, targeted for the Windows 11 upgrade + + ![computers.](../images/mdt-upgrade.png) + + The computers used in this topic. + +> [!NOTE] +> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). + +> If you have already completed all the steps in [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 11 Enterprise x64 (full source)](#add-windows-11-enterprise-x64-full-source). + +## Create the MDT production deployment share + +On **MDT01**: + +1. Ensure you are signed on as: contoso\administrator. +2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. + +## Add Windows 11 Enterprise x64 (full source) + +> If you have already have a Windows 11 [reference image](create-a-windows-11-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. + + ![copy reference image.](../images/mdt-copy-image.png) + + Copying the reference image to the production deployment share + + If you copy the reference image using the above process, you should verify that all the files on MDT01 in **D:\\MDTBuildLab\\Operating Systems\\W11EX64** were successfully copied to **D:\\MDTProduction\\Operating Systems\\W11EX64** and then skip to [Create a task sequence to upgrade to Windows 11 Enterprise](#create-a-task-sequence-to-upgrade-to-windows11-enterprise). + +On **MDT01**: + +1. Sign in as contoso\\administrator and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. +2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**. +4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: (location of your source files) + - Destination directory name: W11EX64 +5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**. + +## Create a task sequence to upgrade to Windows 11 Enterprise + +On **MDT01**: + +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 11**. +2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W11-X64-UPG + - Task sequence name: Windows 11 Enterprise x64 Upgrade + - Template: Standard Client Upgrade Task Sequence + - Select OS: Windows 11 Enterprise x64 Default Image + - Specify Product Key: Do not specify a product key at this time + - Organization: Contoso + - Admin Password: Do not specify an Administrator password at this time + +### Specify additional command line options + +Before running the upgrade task sequence, an additional step is required if you are upgrading to Windows 11. This step is not necessary if you are upgrading to Windows 10. + +The **/EULA accept** command line option is required starting with Windows 11. For more information, see [Windows Setup command-line options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#eula). To add this command line option: + +1. In the Windows 11 Enterprise x64 Upgrade task sequence that you just created, in the Preparation section, click **Add** > **General** > **Set Task Sequence Variable** and provide the following values: + - Name: WindowsUpgradeAdditionalOptions + - Task Sequence Variable: WindowsUpgradeAdditionalOptions + - Value: /EULA accept +2. Make the Set Task Sequence Variable step the first step in the Preparation phase by moving it up above the other steps. See the following example: + +![Specify EULA](../images/windowsupgradeadditionaloptions.png) + +Using the WindowsUpgradeAdditionalOptions variable to set command line options. + +## Perform the Windows 11 upgrade + +To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). + +On **PC0002**: + +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 11 Enterprise x64 Upgrade** task sequence, and then click **Next**. +3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![upgrade1.](../images/upgrademdt-fig5-winupgrade.png) + +
      + +After the task sequence completes, the computer will be fully upgraded to Windows 11. + +## Related topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
      +[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index 48516703b7..1a2a665f6a 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -1,9 +1,9 @@ --- -title: Use Orchestrator runbooks with MDT (Windows 10) +title: Use Orchestrator runbooks with MDT (Windows 11) description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: web services, database ms.prod: w10 @@ -18,6 +18,10 @@ ms.topic: article # Use Orchestrator runbooks with MDT +**Applies to** +- Windows 10 +- Windows 11 + This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md similarity index 96% rename from windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md rename to windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md index 3c191c4712..85da7682da 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md @@ -1,9 +1,9 @@ --- -title: Use MDT database to stage Windows 10 deployment info (Windows 10) -description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database. +title: Use MDT database to stage Windows 11 deployment info (Windows 11) +description: Learn how to use the MDT database to pre-stage information on your Windows 11 deployment in a Microsoft SQL Server 2012 SP1 Express database. ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy @@ -18,6 +18,10 @@ ms.topic: article # Use the MDT database to stage Windows 10 deployment information +**Applies to** +- Windows 10 +- Windows 11 + This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. ## Database prerequisites diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 68336c929b..f9c72cfd2c 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -1,12 +1,12 @@ --- -title: Use web services in MDT (Windows 10) -description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. +title: Use web services in MDT (Windows 11) +description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 11 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 ms.reviewer: -manager: laurawi +manager: dougeby ms.author: greglin keywords: deploy, web apps -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.pagetype: mdt @@ -18,6 +18,10 @@ ms.topic: article # Use web services in MDT +**Applies to** +- Windows 10 +- Windows 11 + In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png index 142e7b6d74..13bc5c84e1 100644 Binary files a/windows/deployment/images/acroread.png and b/windows/deployment/images/acroread.png differ diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png index e9ebbf3aad..9cccb88a1f 100644 Binary files a/windows/deployment/images/captureimage.png and b/windows/deployment/images/captureimage.png differ diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png index c68ee25db1..34a03a5e1d 100644 Binary files a/windows/deployment/images/deployment-workbench01.png and b/windows/deployment/images/deployment-workbench01.png differ diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png index 90cf910c24..8aa48d1b25 100644 Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png index bdd81ddbde..d3deca7024 100644 Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png index 14d93fb278..11eb769926 100644 Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ diff --git a/windows/deployment/images/fig5-selectprofile.png b/windows/deployment/images/fig5-selectprofile.png index 452ab4f581..61c795dcee 100644 Binary files a/windows/deployment/images/fig5-selectprofile.png and b/windows/deployment/images/fig5-selectprofile.png differ diff --git a/windows/deployment/images/fig6-taskseq.png b/windows/deployment/images/fig6-taskseq.png index 8696cc04c4..d77e99d70d 100644 Binary files a/windows/deployment/images/fig6-taskseq.png and b/windows/deployment/images/fig6-taskseq.png differ diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png index 3ab40d730a..5a0c7c2ac7 100644 Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png index 69c5d5ef15..281e8ea0ff 100644 Binary files a/windows/deployment/images/image-captured.png and b/windows/deployment/images/image-captured.png differ diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png index f188046b7f..27075a9502 100644 Binary files a/windows/deployment/images/iso-data.png and b/windows/deployment/images/iso-data.png differ diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png index a387923d80..7e128451d6 100644 Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png index 437531d2f6..9ac1267b22 100644 Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png index 2c61e0eb3d..23037de07d 100644 Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png index 8625f2972b..94ce5cd310 100644 Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png index bb5010a93d..77b8960921 100644 Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png index 72ee2268f2..73587506af 100644 Binary files a/windows/deployment/images/mdt-apps.png and b/windows/deployment/images/mdt-apps.png differ diff --git a/windows/deployment/images/mdt-copy-image.png b/windows/deployment/images/mdt-copy-image.png new file mode 100644 index 0000000000..a5d172def8 Binary files /dev/null and b/windows/deployment/images/mdt-copy-image.png differ diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png index d81ea4e0d8..d31ad0f27d 100644 Binary files a/windows/deployment/images/mdt-offline-media.png and b/windows/deployment/images/mdt-offline-media.png differ diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png index d731037d38..950ec3d6f7 100644 Binary files a/windows/deployment/images/mdt-replace.png and b/windows/deployment/images/mdt-replace.png differ diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG index 072b9cb58c..10708e3f71 100644 Binary files a/windows/deployment/images/monitor-pc0001.PNG and b/windows/deployment/images/monitor-pc0001.PNG differ diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png index bb8e96f5af..d572ae77e9 100644 Binary files a/windows/deployment/images/pc0005-vm-office.png and b/windows/deployment/images/pc0005-vm-office.png differ diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png index 4b2af635c4..9d4c46dfac 100644 Binary files a/windows/deployment/images/pc0005-vm.png and b/windows/deployment/images/pc0005-vm.png differ diff --git a/windows/deployment/images/upgrademdt-fig5-winupgrade.png b/windows/deployment/images/upgrademdt-fig5-winupgrade.png index f3bc05508a..f346380b98 100644 Binary files a/windows/deployment/images/upgrademdt-fig5-winupgrade.png and b/windows/deployment/images/upgrademdt-fig5-winupgrade.png differ diff --git a/windows/deployment/images/windowsupgradeadditionaloptions.png b/windows/deployment/images/windowsupgradeadditionaloptions.png new file mode 100644 index 0000000000..4fcdb1dd70 Binary files /dev/null and b/windows/deployment/images/windowsupgradeadditionaloptions.png differ diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 6aa1667383..ee30d55e62 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -12,7 +12,7 @@ ms.author: greglin ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 10 features lifecycle +# Windows client features lifecycle Applies to: - Windows 10 @@ -20,6 +20,10 @@ Applies to: Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option. +## Windows 11 features + +For information about features that are impacted when you upgrade from Windows 10 to Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). + ## Features no longer being developed The following topic lists features that are no longer being developed. These features might be removed in a future release. diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index 9581461533..3452a3fd88 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -30,6 +30,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi - [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)   \ No newline at end of file diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index c23e505800..749e56b321 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -17,6 +17,8 @@ ms.topic: article Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md). +For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). + The features described below are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources. **The following list is subject to change and might not include every affected feature or functionality.** diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index b832a4fcdd..8ca699331f 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -79,7 +79,7 @@ sections: - question: | Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? answer: | - Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md). + Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md). - question: | Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 2725d29de0..b842f08ba3 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -24,6 +24,8 @@ For information about features that might be removed in a future release, see [W > [!NOTE] > Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. +For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). + The following features and functionalities have been removed from the installed product image for Windows 10. Applications or code that depend on these features won't function in the release when it was removed, or in later releases. |Feature | Details and mitigation | Removed in version | diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md deleted file mode 100644 index 1f326784c8..0000000000 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -author: jaimeo -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-register) \ No newline at end of file diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md index 5e3fa30528..a03d3f5fb1 100644 --- a/windows/deployment/update/delivery-optimization-proxy.md +++ b/windows/deployment/update/delivery-optimization-proxy.md @@ -15,7 +15,10 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to**: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..c12811fc60 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -17,8 +17,8 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 ## Download request workflow @@ -40,5 +40,5 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r | kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
      **doClientVersion**: The version of the DoSvc client
      **Profile**: The device type (for example, PC or Xbox)
      **eId**: Client grouping Id
      **CacheHost**: Cache host id | | cp\*.prod.do.dsp.mp.microsoft.com
      | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
      **ContentId**: The content identifier
      **doClientVersion**: The version of the DoSvc client
      **countryCode**: The country the client is connected from
      **altCatalogId**: If ContentId isn't available, use the download URL instead
      **eId**: Client grouping Id
      **CacheHost**: Cache host id | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
      **ContentId**: The content identifier
      **doClientVersion**: The version of the DoSvc client
      **partitionId**: Client partitioning hint
      **altCatalogId**: If ContentId isn't available, use the download URL instead
      **eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
      **ContentId**: The content identifier
      **doClientVersion**: The version of the DoSvc client
      **altCatalogId**: If ContentId isn't available, use the download URL instead
      **PeerId**: Identified of the device running DO client
      **ReportedIp**: The internal / private IP Address
      **IsBackground**: Is the download interactive or background
      **Uploaded**: Total bytes uploaded to peers
      **Downloaded**: Total bytes downloaded from peers
      **DownloadedCdn**: Total bytes downloaded from CDN
      **Left**: Bytes left to download
      **Peers Wanted**: Total number of peers wanted
      **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
      **Scope**: The Download mode
      **UploadedBPS**: The upload speed in bytes per second
      **DownloadBPS**: The download speed in Bytes per second
      **eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
      **ContentId**: The content identifier
      **doClientVersion**: The version of the DoSvc client
      **altCatalogId**: If ContentId isn't available, use the download URL instead
      **PeerId**: Identity of the device running DO client
      **ReportedIp**: The internal / private IP Address
      **IsBackground**: Is the download interactive or background
      **Uploaded**: Total bytes uploaded to peers
      **Downloaded**: Total bytes downloaded from peers
      **DownloadedCdn**: Total bytes downloaded from CDN
      **Left**: Bytes left to download
      **Peers Wanted**: Total number of peers wanted
      **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
      **Scope**: The Download mode
      **UploadedBPS**: The upload speed in bytes per second
      **DownloadBPS**: The download speed in Bytes per second
      **eId**: Client grouping Id | | dl.delivery.mp.microsoft.com
      emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 63c9c6aa24..546749d1dd 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -81,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell @@ -115,7 +115,7 @@ You should continue to use deployment rings as part of the servicing strategy fo ### Monitoring deployments to detect rollback issues -During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. +During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. ### How to enable deployment protections @@ -124,21 +124,16 @@ Deployment scheduling controls are always available, but to take advantage of th #### Device prerequisites -> [!NOTE] -> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - - Diagnostic data is set to *Required* or *Optional*. - The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy. - -> [!NOTE] -> Setting this policy by using Group Policy isn't currently supported. +To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. | Policy | Sets registry key under **HKLM\\Software** | |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing | | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: @@ -184,5 +179,5 @@ Avoid using different channels to manage the same resources. If you use Microsof To learn more about the deployment service, try the following: -- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates) +- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) - [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md deleted file mode 100644 index d8206d5491..0000000000 --- a/windows/deployment/update/feature-update-conclusion.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Best practices for feature updates - conclusion -description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md deleted file mode 100644 index 771a7648f8..0000000000 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ /dev/null @@ -1,264 +0,0 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - ->[!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini** - -``` -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -```powershell -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -<# -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -#> -``` - -> [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature updates -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - > [!NOTE] - > The deployment package source location that you specify cannot be used by another software deployment package. - - > [!IMPORTANT] - > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - > [!IMPORTANT] - > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - > [!NOTE] - > The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - > [!NOTE] - > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - > [!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - > [!NOTE] - > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - > [!WARNING] - > Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - > [!NOTE] - > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - > [!NOTE] - > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - > [!NOTE] - > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - > [!IMPORTANT] - > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - > [!NOTE] - > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - > [!NOTE] - > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status - -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md deleted file mode 100644 index 052bebb7c1..0000000000 --- a/windows/deployment/update/feature-update-mission-critical.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices -description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) \ No newline at end of file diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index b034e4e658..f1d6c2488e 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,5 +1,5 @@ --- -title: Windows 10 updates, channels, and tools +title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 @@ -12,7 +12,12 @@ manager: laurawi ms.topic: article --- -# Windows 10 updates, channels, and tools +# Windows client updates, channels, and tools + +**Applies to** + +- Windows 10 +- Windows 11 ## How Windows updates work @@ -30,34 +35,31 @@ version of the software. We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. -- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. -- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. +- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. - **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. - ## Servicing channels -Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. +There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. -### Semi-annual Channel +### General Availability Channel -In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release. +In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. -> [!NOTE] -> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. ### Windows Insider Program for Business Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: -- Windows Insider Fast -- Windows Insider Slow +- Windows Insider Dev +- Windows Insider Beta - Windows Insider Release Preview We recommend that you use the Windows Insider Release Preview channel for validation activities. @@ -65,17 +67,17 @@ We recommend that you use the Windows Insider Release Preview channel for valida ### Long-term Servicing Channel -The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSC releases service a special LTSC edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. +The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition. -| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel | +| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel | | --- | --- | --- | --- | | Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)| | Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| | Enterprise | ![yes.](images/checkmark.png) |![yes](images/checkmark.png) | ![no](images/crossmark.png)| -| Enterprise LTSB | ![no.](images/crossmark.png) |![no](images/crossmark.png) | ![yes](images/checkmark.png)| +| Enterprise LTSC | ![no.](images/crossmark.png) |![no](images/crossmark.png) | ![yes](images/checkmark.png)| | Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| | Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 1cb0a47bf7..821586a7d8 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,6 +1,6 @@ --- title: How Windows Update works -description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices. +description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices. ms.prod: w10 ms.mktglfcycl: audience: itpro diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 3f72fde718..3eef8dae64 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -1,6 +1,6 @@ --- -title: Update Windows 10 in enterprise deployments (Windows 10) -description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. +title: Update Windows client in enterprise deployments +description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -10,19 +10,18 @@ ms.author: jaimeo ms.topic: article --- -# Update Windows 10 in enterprise deployments +# Update Windows client in enterprise deployments **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. +Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. ->[!TIP] ->See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date. @@ -30,20 +29,18 @@ Windows as a service provides a new way to think about building, deploying, and | Topic | Description| | --- | --- | -| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. | -| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | -| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | -| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | -| [Assign devices to servicing branches for Windows 10 updates](./waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | +| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. | +| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | +| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | +| [Assign devices to servicing branches for Windows client updates](/waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | -| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | +| [Optimize update delivery](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | -| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | -| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | +| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | | [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | | [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). \ No newline at end of file +>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index c18d2b0576..289cffc216 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -14,6 +14,11 @@ ms.collection: m365initiative-coredeploy # Define update strategy with a calendar +**Applies to** + +- Windows 10 +- Windows 11 + Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. @@ -21,7 +26,7 @@ Today, more organizations are treating deployment as a continual process of upda Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. ## Calendar approaches -You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. +You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: @@ -38,14 +43,4 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). -### Rapid -This calendar shows an example schedule that installs each feature update as it is released, twice per year: -[ ![Update calendar showing a faster update cadence.](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox) - -This cadence might be best for you if these conditions apply: - -- You have a strong appetite for change. -- You want to continuously update supporting infrastructure and unlock new scenarios. -- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office. -- You have experience with feature updates for Windows 10. diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 339e8ed571..57c0e11d5b 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -17,10 +17,15 @@ ms.topic: article # Manually Configuring Devices for Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 + > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. -There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. +There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. The requirements are separated into different categories: diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 55c83a3ecc..8b67a949ea 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -16,10 +16,11 @@ ms.topic: article --- # Configuring Microsoft Endpoint Manager devices for Update Compliance + **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 085bf545d6..3bd9ab7dd2 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -17,6 +17,11 @@ ms.topic: article # Configuring devices through the Update Compliance Configuration Script +**Applies to** + +- Windows 10 +- Windows 11 + > [!NOTE] > A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 1c544e9fbb..1aa38de12a 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization in Update Compliance (Windows 10) +title: Delivery Optimization in Update Compliance ms.reviewer: manager: laurawi description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration. @@ -17,6 +17,12 @@ ms.custom: seo-marvel-apr2020 --- # Delivery Optimization in Update Compliance + +**Applies to** + +- Windows 10 +- Windows 11 + ![DO status.](images/UC_workspace_DO_status.png) The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. @@ -30,7 +36,7 @@ The Delivery Optimization Status section includes three blades: ## Device Configuration blade -Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). +Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). ## Content Distribution (%) blade The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution). diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 4476c5c96d..8fa81c9860 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -17,6 +17,11 @@ ms.custom: seo-marvel-apr2020 # Feature Update Status +**Applies to** + +- Windows 10 +- Windows 11 + [ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox) The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). @@ -38,11 +43,13 @@ Refer to the following list for what each state means: ## Safeguard holds -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows 10 release information page for any given release. +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release. -## Queries for safeguard holds +### Queries for safeguard holds -Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build. +Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included. + +The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build. ![Left pane showing Need Attention, Security update status, feature update status, and Windows Defender AV status, with Need Attention selected. Right pane shows the list of queries relevant to the Need Attention status, with "Devices with a safeguard hold" and "Target build distribution of devices with a safeguard hold" queries highlighted](images/UC_workspace_safeguard_queries.png) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index f1c18585dd..db61a26720 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -17,8 +17,15 @@ ms.topic: article # Get started with Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 + > [!IMPORTANT] -> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM. +> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM. +> +> Devices must have this policy configured by January 31, 2022, to remain enrolled in Update Compliance. Devices without this policy configured, including Windows 10 releases prior to version 1809 which do not support this policy, will stop appearing in Update Compliance reports after this date. This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. @@ -35,11 +42,11 @@ After adding the solution to Azure and configuring devices, it can take some tim Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -- **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -- **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them. -- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions. +- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them. +- **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). -- **Showing Device Names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). +- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). ## Add Update Compliance to your Azure subscription diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 7d3ea12222..de2b593b39 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,8 +1,8 @@ --- -title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance (Windows 10) +title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance ms.reviewer: manager: laurawi -description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. +description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network. keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -18,24 +18,29 @@ ms.custom: seo-marvel-apr2020 # Monitor Windows Updates with Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 + ## Introduction Update Compliance enables organizations to: -* Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions. +* Monitor security, quality, and feature updates for Windows 10 or Windows 11 Professional, Education, and Enterprise editions. * View a report of device and update issues related to compliance that need attention. * Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). -Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data. +Update Compliance is offered through the Azure portal, and is included as part of Windows 10 or Windows 11 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data. -Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. +Update Compliance uses Windows client diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. -See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: +See the following articles in this guide for detailed information about configuring and using the Update Compliance solution: - [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance. - [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience. -## Related topics +## Related articles * [Get started with Update Compliance](update-compliance-get-started.md) * [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 527be5a54e..f8d8daa42b 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -14,9 +14,15 @@ ms.prod: w10 --- # Needs attention! + +**Applies to** + +- Windows 10 +- Windows 11 + ![Needs attention section.](images/UC_workspace_needs_attention.png) -The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. +The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. > [!NOTE] > The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. @@ -26,7 +32,7 @@ The different issues are broken down by Device Issues and Update Issues: ## Device Issues * **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client. ## Update Issues @@ -39,7 +45,7 @@ The different issues are broken down by Device Issues and Update Issues: Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. > [!NOTE] -> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. +> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows client feature update was unsuccessful. ## List of Queries diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index b7c5407a53..b8f5508589 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -16,9 +16,14 @@ ms.topic: article # Privacy in Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 + Update Compliance is fully committed to privacy, centering on these tenets: -- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details). +- **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details). - **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics. - **Security:** Your data is protected with strong security and encryption. - **Trust:** Update Compliance supports the Online Services Terms. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 27a37f5e71..28735cdb61 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -15,12 +15,17 @@ ms.custom: seo-marvel-apr2020 # Security Update Status +**Applies to** + +- Windows 10 +- Windows 11 + ![The Security Update Status report.](images/UC_workspace_SU_status.png) -The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates. +The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows client version and the deployment progress toward the latest two security updates. The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures. -The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. +The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows client, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 26c96388b7..d27fd0af96 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,5 +1,5 @@ --- -title: Using Update Compliance (Windows 10) +title: Using Update Compliance ms.reviewer: manager: laurawi description: Learn how to use Update Compliance to monitor your device's Windows updates. @@ -18,11 +18,16 @@ ms.custom: seo-marvel-apr2020 # Use Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 + In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). Update Compliance: -- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates. +- Provides detailed deployment monitoring for Windows client feature and quality updates. - Reports when devices need attention due to issues related to update deployment. - Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. @@ -49,21 +54,21 @@ When you select this tile, you will be redirected to the Update Compliance works ![The Overview blade.](images/UC_workspace_overview_blade.png) Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: -* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus. The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). The following is a breakdown of the different sections available in Update Compliance: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows client updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows client it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment. * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. ## Update Compliance data latency -Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. +Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index f6bb3195f2..4bbcdcad7e 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -18,8 +18,8 @@ ms.collection: M365-modern-desktop **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 Keeping devices up to date is the best way to keep them working smoothly and securely. @@ -39,10 +39,6 @@ update is published plus any deferral. In addition, this policy includes a confi to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic restarts for maximum update velocity). -> [!IMPORTANT] -> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, -> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. - We recommend you set deadlines as follows: - Quality update deadline, in days: 3 - Feature update deadline, in days: 7 diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 7963fab1a7..9cfa2f188d 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -1,5 +1,5 @@ --- -title: Configure BranchCache for Windows 10 updates (Windows 10) +title: Configure BranchCache for Windows client updates description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment. ms.prod: w10 ms.mktglfcycl: manage @@ -12,21 +12,22 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Configure BranchCache for Windows 10 updates +# Configure BranchCache for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. -- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. +- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. >[!TIP] - >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. + >Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution. - In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. @@ -36,7 +37,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)). -In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. +In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. ## Configure servers for BranchCache @@ -49,21 +50,3 @@ In addition to these steps, there is one requirement for WSUS to be able to use >[!NOTE] >Configuration Manager only supports Distributed Cache mode. - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index d0c4ab43af..0c557a1ac6 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Update for Business (Windows 10) +title: Configure Windows Update for Business ms.reviewer: manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. @@ -19,13 +19,14 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -33,7 +34,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi ## Start by grouping devices -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). +By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). @@ -43,13 +44,13 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for the appropriate service channel -With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | | MDM for Windows 10, version 1607 or later:
      ../Vendor/MSFT/Policy/Config/Update/
      **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | | MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -64,9 +65,9 @@ Starting with Windows 10, version 1703, users can configure the branch readiness ## Configure when devices receive feature updates -After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. -For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. +For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.

      @@ -74,7 +75,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | | GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | | MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | | MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -84,7 +85,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod ## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. +You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -98,20 +99,20 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | +| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | | MDM for Windows 10, version 1607 or later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
      **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Feature Updates not paused | -| 1 | Feature Updates paused | -| 2 | Feature Updates have auto-resumed after being paused | +| 0 | feature updates not paused | +| 1 | feature updates paused | +| 2 | feature updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -122,9 +123,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha - Any pending update installations are canceled. - Any update installation running when pause is activated will attempt to roll back. -## Configure when devices receive Quality Updates +## Configure when devices receive quality updates -Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. @@ -160,15 +161,15 @@ In cases where the pause policy is first applied after the configured start date | MDM for Windows 10, version 1607 or later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
      **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | | MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Quality Updates not paused | -| 1 | Quality Updates paused | -| 2 | Quality Updates have auto-resumed after being paused | +| 0 | quality updates not paused | +| 1 | quality updates paused | +| 2 | quality updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -193,8 +194,8 @@ The **Manage preview builds** setting gives administrators control over enabling >* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** >* MDM: **System/AllowBuildPreview** -The policy settings to **Select when Feature Updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +The policy settings to **Select when feature updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and feature updates are received* * MDM: **Update/BranchReadinessLevel** ## Exclude drivers from quality updates @@ -216,7 +217,7 @@ The following are quick-reference tables of the supported policy values for Wind | GPO Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
      16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
      32: systems take Feature Updates from Semi-Annual Channel
      Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)

      Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
      Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | @@ -230,7 +231,7 @@ The following are quick-reference tables of the supported policy values for Wind | MDM Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
      16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
      32: systems take Feature Updates from Semi-Annual Channel
      Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)
      32: systems take feature updates from General Availability Channel
      Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | @@ -253,20 +254,3 @@ When a device running a newer version sees an update available on Windows Update | PauseFeatureUpdates | PauseFeatureUpdatesStartTime | | PauseQualityUpdates | PauseQualityUpdatesStartTime | -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index df12b64c2c..2aea9ec10f 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -20,6 +20,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -116,8 +117,11 @@ Download mode dictates which download sources clients are allowed to use when do | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +> [!NOTE] +> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. + >[!NOTE] ->Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. +>When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID @@ -160,7 +164,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. ### Absolute Max Cache Size @@ -197,8 +201,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. -Currently the only available option is **1 = Subnet mask**. The subnet mask option applies to both Download Modes LAN (1) and Group (2). +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). + +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ef3f3040cc..b15133d690 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -2,7 +2,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: laurawi -description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10. +description: In this article, learn how to set up Delivery Optimization. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -15,11 +15,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Set up Delivery Optimization for Windows 10 updates +# Set up Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index ab8834382a..4bd4c62a37 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates +title: Delivery Optimization for Windows client updates manager: laurawi description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics @@ -16,12 +16,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Delivery Optimization for Windows 10 updates - +# Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -29,44 +29,17 @@ Windows updates, upgrades, and applications can contain packages with very large Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). +For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -## New in Windows 10, version 2004 +## New in Windows 10, version 20H2 and Windows 11 -- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: - - ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png) - -- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache). - -- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage). - -- New cmdlets: - - `Enable-DeliveryOptimizationVerboseLogs` - - `Disable-DeliveryOptimizationVerboseLogs` - - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` - -- New policy settings: - - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname) - - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source) - - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth - - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - -- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect): - - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOMaxUploadBandwidth - -- Support for new types of downloads: - - Office installs and updates - - Xbox game pass games - - MSIX apps (HTTP downloads only) - - Microsoft Edge browser installations and updates - - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) +- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." +- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). +- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. ## Requirements @@ -82,8 +55,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Download package | Minimum Windows version | |------------------|---------------| -| Windows 10 updates (feature updates and quality updates) | 1511 | -| Windows 10 drivers | 1511 | +| Windows client updates (feature updates and quality updates) | 1511 | +| Windows client drivers | 1511 | | Windows Store files | 1511 | | Windows Store for Business files | 1511 | | Windows Defender definition updates | 1511 | @@ -100,7 +73,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). @@ -242,7 +215,7 @@ Try a Telnet test between two devices on the network to ensure they can connect 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] -> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test. +> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. > **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680** ### None of the computers on the network are getting updates from peers @@ -254,28 +227,3 @@ Check Delivery Optimization settings that could limit participation in peer cach - Enable peer caching while the device connects using VPN. - Allow uploads when the device is on battery while under the set battery level - - - -## Learn more - -[Windows 10, Delivery Optimization, and WSUS](/archive/blogs/mniehaus/windows-10-delivery-optimization-and-wsus-take-2) - - -## Related articles - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md deleted file mode 100644 index 4070bb332d..0000000000 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Build deployment rings for Windows client updates -description: Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Build deployment rings for Windows client updates - -**Applies to** - -- Windows 10 -- Windows 11 - - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -> [!NOTE] -> We're in the process of updating this topic with more definitive guidance. In the meantime, see [this post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) on the Windows 10 IT Pro blog for some great suggestions for a deployment ring structure. - -For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. - -Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows client, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. - -Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. - -Table 1 provides an example of the deployment rings you might use. - -**Table 1** - -| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example | -| --- | --- | --- | --- | --- | -| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the Semi-Annual channel | -| Broad | Semi-Annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
      Pause updates if there are critical issues | -| Critical | Semi-Annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for some time by most of the organization | - ->[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. - - -As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. - - -## Steps to manage updates for Windows client - -|  |  | -| --- | --- | -| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | Build deployment rings for Windows client updates (this article) | -| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
      or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
      or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | - - diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 6460401d70..b5d5e02b67 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,5 +1,5 @@ --- -title: Integrate Windows Update for Business (Windows 10) +title: Integrate Windows Update for Business description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage @@ -17,6 +17,7 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -25,7 +26,7 @@ You can integrate Windows Update for Business deployments with existing manageme ## Integrate Windows Update for Business with Windows Server Update Services -For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: +For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: - Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy - All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies @@ -34,7 +35,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Windows Quality Updates using Windows Update for Business +- Device is configured to defer Windows quality updates using Windows Update for Business - Device is also configured to be managed by WSUS - Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) - Admin has opted to put updates to Office and other products on WSUS @@ -46,11 +47,11 @@ For Windows 10, version 1607, devices can now be configured to receive updates f Third-party driversWSUSWSUSNo -### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business +### Configuration example \#2: Excluding drivers from Windows quality updates using Windows Update for Business **Configuration:** -- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) +- Device is configured to defer Windows quality updates and to exclude drivers from Windows Update quality updates (**ExcludeWUDriversInQualityUpdate** = enabled) - Device is also configured to be managed by WSUS - Admin has opted to put Windows Update drivers on WSUS @@ -66,7 +67,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS +- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS - Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) - Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server @@ -86,26 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo ## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager -For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. +For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. ![Example of unknown devices.](images/wufb-sccm.png) For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 3556cec273..8bfab4700e 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -16,14 +16,11 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. - WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 850d6cec44..dea3bbba22 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Windows Update for Business (Windows 10) +title: Windows Update for Business ms.reviewer: manager: laurawi description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update. @@ -18,14 +18,15 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 -Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. +Windows Update for Business is a free service that is available for all premium editions including Windows 10 and Windows 11 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated. Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. @@ -46,7 +47,7 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: -- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. - **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. @@ -62,16 +63,15 @@ You can defer or pause the installation of updates for a set period of time. The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: -- Windows Insider Fast -- Windows Insider Slow -- Windows Insider Release Preview -- Semi-Annual Channel +- Windows Insider Dev +- Windows Insider Beta +- Windows Insider Preview +- General Availability Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy. |Category |Maximum deferral period | @@ -88,7 +88,7 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). Built-in benefits: When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. @@ -97,10 +97,10 @@ When updating from Windows Update, you get the added benefits of built-in compat For the best experience with Windows Update, follow these guidelines: -- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. -- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. -- Make sure that devices have at least 10 GB of free space. -- Give devices unobstructed access to the Windows Update service. +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ### Manage the end-user experience when receiving Windows Updates @@ -110,9 +110,9 @@ Windows Update for Business provides controls to help meet your organization’s Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install, and restart (default if no restart policies are set up or enabled) -2. Use the default notifications -3. Set update deadlines +1. Automatically download, install, and restart (default if no restart policies are set up or enabled). +2. Use the default notifications. +3. Set update deadlines. ##### Setting deadlines @@ -121,101 +121,11 @@ A compliance deadline policy (released in June 2019) enables you to set separate This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline -The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. + +The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056). >[!NOTE] ->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. +>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11. - + + + + + + + Page-1 + + + Sheet.1 + + + + + + diff --git a/windows/hub/index.yml b/windows/hub/index.yml index e3a2448009..9c115c5b15 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,121 +1,262 @@ -### YamlMime:Landing +### YamlMime:Hub -title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars +title: Windows client documentation for IT Pros # < 60 chars +summary: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars +# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin +brand: windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: windows-10 - author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. - ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 06/01/2020 #Required; mm/dd/yyyy format. + ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice # Optional; Remove if no subservice is used. + ms.topic: hub-page # Required + ms.collection: windows-10 # Optional; Remove if no collection is used. + author: dougeby #Required; your GitHub user alias, with correct capitalization. + ms.author: dougeby #Required; microsoft alias of author; optional team alias. + ms.date: 10/01/2021 #Required; mm/dd/yyyy format. localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: What's new - linkLists: - - linkListType: overview - links: - - text: Windows 11 overview - url: /windows/whats-new/windows-11 - - text: Windows 11 requirements - url: /windows/whats-new/windows-11-requirements - - text: Plan for Windows 11 - url: /windows/whats-new/windows-11-plan - - text: Prepare for Windows 11 - url: /windows/whats-new/windows-11-prepare - - text: What's new in Windows 10, version 21H1 - url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows release information - url: /windows/release-health/release-information +# highlightedContent section (optional) +# Maximum of 8 items +highlightedContent: +# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + items: + # Card + - title: Become a Windows Insider + itemType: overview + url: https://insider.windows.com + # Card + - title: See what's new in Windows release health + itemType: overview + url: /windows/release-health/ + # Card + - title: Empower your hybrid workforce + itemType: overview + url: https://www.microsoft.com/microsoft-365/blog/2021/10/04/empower-your-hybrid-workforce-today-with-windows-11/ + +# productDirectory section (optional) +productDirectory: + title: Get to know Windows 11 # < 60 chars (optional) + summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional) + items: + # Card + - title: What's new in Windows 11 + imageSrc: /windows/resources/images/winlogo.svg + summary: Get more information about features and improvements that are important to admins + url: /windows/whats-new/windows-11-whats-new + - title: Windows 11 requirements + imageSrc: /windows/resources/images/winlogo.svg + summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine + url: /windows/whats-new/windows-11-requirements + - title: Learn more about Windows 11 Enterprise + imageSrc: /windows/resources/images/winlogo.svg + summary: Get more information on the features, security, and licensing plans designed for organizations + url: https://www.microsoft.com/microsoft-365/windows/windows-11-enterprise + - title: FAQ - Upgrade to Windows 11 + imageSrc: /windows/resources/images/winlogo.svg + summary: See some common questions and answers when upgrading to Windows 11 + url: https://support.microsoft.com/windows/upgrade-to-windows-11-faq-fb6206a2-1a0f-448a-80f1-8668ee5b2bf9 + - title: Windows 11 chip to cloud protection - Security challenges of hybrid work + imageSrc: /windows/resources/images/winlogo.svg + summary: Blog from the Microsoft Windows Security Team + url: https://www.microsoft.com/security/blog/2021/10/04/windows-11-offers-chip-to-cloud-protection-to-meet-the-new-security-challenges-of-hybrid-work + - title: Trusted Platform Module (TPM) + imageSrc: /windows/resources/images/winlogo.svg + summary: Learn more about TPM, and why it's a good thing + url: /windows/security/information-protection/tpm/trusted-platform-module-overview + +# conceptualContent section (optional) +conceptualContent: +# Supports up to 3 sections +# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + + title: Windows client resources and documentation for IT Pros + summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. + items: + # card + - title: Overview + links: + - url: /windows/whats-new/windows-11-whats-new + itemType: overview + text: What's new in Windows 11 + - url: /windows/whats-new/windows-11-plan + itemType: overview + text: Plan for Windows 11 + - url: /windows/whats-new/windows-11-prepare + itemType: overview + text: Prepare for Windows 11 + - url: /windows/whats-new/whats-new-windows-10-version-21H1 + itemType: overview + text: What's new in Windows 10, version 21H1 + - url: /windows/release-health/release-information + itemType: overview + text: Windows release information # Card (optional) - - title: Configuration - linkLists: - - linkListType: how-to-guide - links: - - text: Configure Windows - url: /windows/configuration/index - - text: Accessibility information for IT Pros - url: /windows/configuration/windows-10-accessibility-for-itpros - - text: Configure access to Microsoft Store - url: /windows/configuration/stop-employees-from-using-microsoft-store - - text: Set up a shared or guest PC - url: /windows/configuration/set-up-shared-or-guest-pc + - title: Configuration + links: + - url: /windows/configuration/index + itemType: overview + text: Configure Windows + - url: /windows/configuration/provisioning-packages/provisioning-packages + itemType: how-to-guide + text: Use Provisioning packages to configure new devices + - url: /windows/configuration/windows-10-accessibility-for-itpros + itemType: overview + text: Accessibility information for IT Pros + - url: /windows/configuration/customize-start-menu-layout-windows-11 + itemType: how-to-guide + text: Customize the Start menu layout + - url: /windows/configuration/stop-employees-from-using-microsoft-store + itemType: how-to-guide + text: Control access to Microsoft Store + - url: /windows/configuration/set-up-shared-or-guest-pc + itemType: how-to-guide + text: Set up a shared or guest PC # Card (optional) - - title: Deployment - linkLists: - - linkListType: deploy - links: - - text: Deploy and update Windows - url: /windows/deployment/index - - text: Windows deployment scenarios - url: /windows/deployment/windows-10-deployment-scenarios - - text: Create a deployment plan - url: /windows/deployment/update/create-deployment-plan - - text: Prepare to deploy Windows client - url: /windows/deployment/update/prepare-deploy-windows - + - title: Deployment + links: + - url: /windows/deployment/index + itemType: deploy + text: Deploy and update Windows + - url: /windows/deployment/windows-10-deployment-scenarios + itemType: deploy + text: Windows deployment scenarios + - url: /windows/deployment/update/create-deployment-plan + itemType: deploy + text: Create a deployment plan + - url: /windows/deployment/update/prepare-deploy-windows + itemType: deploy + text: Prepare to deploy Windows client # Card - - title: App management - linkLists: - - linkListType: how-to-guide - links: - - text: Windows application management - url: /windows/application-management/index - - text: Understand the different apps included in Windows 10 - url: /windows/application-management/apps-in-windows-10 - - text: Get started with App-V for Windows 10 - url: /windows/application-management/app-v/appv-getting-started - - text: Keep removed apps from returning during an update - url: /windows/application-management/remove-provisioned-apps-during-update + - title: App management + links: + - url: /windows/application-management/index + itemType: overview + text: Windows application management + - url: /windows/application-management/apps-in-windows-10 + itemType: overview + text: Learn more about the different apps types for Windows + - url: /windows/application-management/private-app-repository-mdm-company-portal-windows-11 + itemType: how-to-guide + text: Use the private app repo on Windows 11 + - url: /windows/application-management/remove-provisioned-apps-during-update + itemType: how-to-guide + text: Keep removed apps from returning during an update + - url: https://blogs.windows.com/windowsdeveloper/2021/10/04/developing-for-windows-11/ + itemType: overview + text: Blog - Develop apps for Windows 11 # Card - - title: Client management - linkLists: - - linkListType: how-to-guide - links: - - text: Windows client management - url: /windows/client-management/index - - text: Administrative tools - url: /windows/client-management/administrative-tools-in-windows-10 - - text: Create mandatory user profiles - url: /windows/client-management/mandatory-user-profile - - text: New policies for Windows 10 - url: /windows/client-management/new-policies-for-windows-10 - - text: Configuration service provider reference - url: /windows/client-management/mdm/configuration-service-provider-reference + - title: Client management + links: + + - url: /windows/client-management/index + itemType: overview + text: Windows client management + - url: /windows/client-management/administrative-tools-in-windows-10 + itemType: overview + text: Administrative tools + - url: /windows/client-management/mandatory-user-profile + itemType: how-to-guide + text: Create mandatory user profiles + - url: /windows/client-management/new-policies-for-windows-10 + itemType: overview + text: New policies for Windows 10 + - url: /windows/client-management/mdm/configuration-service-provider-reference + itemType: reference + text: Configuration service provider reference # Card (optional) - - title: Security and Privacy - linkLists: - - linkListType: how-to-guide - links: - - text: Windows Enterprise Security - url: /windows/security/index - - text: Windows Privacy - url: /windows/privacy/index - - text: Identity and access management - url: /windows/security/identity-protection/index - - text: Threat protection - url: /windows/security/threat-protection/index - - text: Information protection - url: /windows/security/information-protection/index - - text: Required diagnostic data - url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004 - - text: Optional diagnostic data - url: /windows/privacy/windows-diagnostic-data - - text: Changes to Windows diagnostic data collection - url: /windows/privacy/changes-to-windows-diagnostic-data-collection \ No newline at end of file + - title: Security and Privacy + links: + - url: /windows/security/index + itemType: overview + text: Windows Enterprise Security + - url: /windows/privacy/index + itemType: overview + text: Windows Privacy + - url: /windows/security/hardware + itemType: overview + text: Hardware security + - url: /windows/security/operating-system + itemType: overview + text: Operating system security + - url: /windows/security/apps + itemType: overview + text: Application security + - url: /windows/security/identity + itemType: overview + text: User and identity security + - url: /windows/security/cloud + itemType: overview + text: Cloud services + +# additionalContent section (optional) +# Card with summary style +additionalContent: + # Supports up to 4 subsections + sections: + - title: More Windows resources # < 60 chars (optional) + items: + # Card + - title: Windows product site + summary: Find out how Windows enables your business to do more + url: https://www.microsoft.com/microsoft-365/windows + - title: "Windows 11: A new era for the PC begins today" + summary: Blog article that describes how Windows 11 empowers you to produce and inspires you to create + url: https://blogs.windows.com/windowsexperience/2021/10/04/windows-11-a-new-era-for-the-pc-begins-today/ + - title: Windows IT Pro blogs + summary: The latest Windows blog articles for the IT Pro + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog + - title: Windows blogs + summary: Keep up with the latest news about Windows + url: https://blogs.windows.com/ + - title: Participate in the Tech Community + summary: Learn how to be part of the Windows Tech Community + url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 + - title: Ask the community + summary: Get help, and help others + url: https://answers.microsoft.com/windows/forum + + - title: Other resources + items: + - title: Microsoft Endpoint Manager + links: + - text: Microsoft Endpoint Manager documentation + url: /mem + - text: Overview of Microsoft Endpoint Manager + url: /mem/endpoint-manager-overview + - text: Getting started with Microsoft Endpoint Manager + url: /mem/endpoint-manager-getting-started + - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11 + url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886 + - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager + url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866 + - text: Microsoft Endpoint Manager blog + url: https://aka.ms/memblog + - title: Windows 365 + links: + - text: Windows 365 documentation + url: /windows-365 + - text: What is Windows 365 + url: /windows-365/overview + - text: Windows 365 Enterprise now supports Windows 11 + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-365-enterprise-now-supports-windows-11/ba-p/2810334 + - text: Windows 365 blog + url: https://www.microsoft.com/microsoft-365/blog/ + + - title: Windows Server + links: + - text: Windows Server documentation + url: /windows-server + - text: What's new in Windows Server 2022? + url: /windows-server/get-started/whats-new-in-windows-server-2022 + - text: Get started with Windows Server + url: /windows-server/get-started/get-started-with-windows-server + - text: Windows Server blog + url: https://cloudblogs.microsoft.com/windowsserver/ diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 5852e85928..32ba2bc16a 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -21,7 +21,8 @@ ms.reviewer: **Applies to** -- Windows 10, version 1803 and newer +- Windows 11 +- Windows 10, version 1803 and later - Windows Server, version 1803 - Windows Server 2019 diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 2abc6b7ebe..16e94c4bd9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/28/2021 +ms.date: 09/08/2021 ms.reviewer: --- @@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2692,7 +2693,7 @@ The following fields are available: - **Slot** Slot to which the DRAM is plugged into the motherboard. - **Speed** The configured memory slot speed in MHz. - **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync @@ -6247,6 +6248,21 @@ The following fields are available: - **ResultId** The final result of the interaction campaign. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -6278,6 +6294,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 6dc4ef0157..fe2e57d529 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/28/2021 +ms.date: 09/08/2021 ms.reviewer: --- @@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2734,8 +2735,8 @@ The following fields are available: - **Model** Model and sub-model of the memory - **Slot** Slot to which the DRAM is plugged into the motherboard. - **Speed** The configured memory slot speed in MHz. -- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **Type** Reports DDR as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync @@ -3028,6 +3029,22 @@ The following fields are available: - **winInetError** The HResult of the operation. + +## Other events + +### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties + +This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. + +The following fields are available: + +- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. +- **nodeOperatingSystem** A user friendly description of the node's OS version. +- **nodeOSVersion** A major or minor build version string for the node's OS. +- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. +- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. + + ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted @@ -6409,6 +6426,21 @@ The following fields are available: - **ResultId** The final result of the interaction campaign. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -6440,6 +6472,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 8a5eb64108..27ad38b904 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/28/2021 +ms.date: 09/08/2021 ms.reviewer: --- @@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -3007,6 +3008,32 @@ The following fields are available: - **WDDMVersion** The Windows Display Driver Model version. +### DxgKrnlTelemetry.GPUAdapterStop + +This event collects information about an adapter when it stops. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **AdapterLuid** Local Identifier for the adapter. +- **AdapterTypeValue** Numeric value indicating the type of the adapter. +- **DriverDate** Date of the driver. +- **DriverVersion** Version of the driver. +- **GPUDeviceID** Device identifier for the adapter. +- **GPUVendorID** Vendor identifier for the adapter. +- **InterfaceId** Identifier for the adapter. +- **IsDetachable** Boolean value indicating whether the adapter is removable or detachable. +- **IsDisplayDevice** Boolean value indicating whether the adapter has display capabilities. +- **IsHybridDiscrete** Boolean value indicating whether the adapter is a discrete adapter in a hybrid configuration. +- **IsHybridIntegrated** Boolean value indicating whether the adapter is an integrated adapter in a hybrid configuration. +- **IsRenderDevice** Boolean value indicating whether the adapter has rendering capabilities. +- **IsSoftwareDevice** Boolean value indicating whether the adapter is implemented in software. +- **IsSurpriseRemoved** Boolean value indicating whether the adapter was surprise removed. +- **SubSystemID** Subsystem identifier for the adapter. +- **SubVendorID** Sub-vendor identifier for the adapter. +- **version** Version of the schema for this event. +- **WDDMVersion** Display driver model version for the driver. + + ## Failover Clustering events ### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 @@ -3674,7 +3701,7 @@ The following fields are available: - **Slot** Slot to which the DRAM is plugged into the motherboard. - **Speed** The configured memory slot speed in MHz. - **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync @@ -4340,6 +4367,19 @@ The following fields are available: - **winInetError** The HResult of the operation. + +## Other events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5433,16 +5473,6 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. -## Surface events - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## Update Assistant events @@ -8032,6 +8062,21 @@ The following fields are available: - **ResultId** The final result of the interaction campaign. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 99cc79b6ea..e45351e107 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/29/2021 +ms.date: 09/08/2021 ms.reviewer: --- @@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -312,7 +313,7 @@ The following fields are available: - **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -324,11 +325,11 @@ The following fields are available: - **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_19ASetup** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -344,7 +345,7 @@ The following fields are available: - **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -360,7 +361,7 @@ The following fields are available: - **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -376,7 +377,7 @@ The following fields are available: - **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -392,7 +393,7 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -408,7 +409,7 @@ The following fields are available: - **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_20H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. -- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -424,7 +425,7 @@ The following fields are available: - **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_20H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. -- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -440,7 +441,7 @@ The following fields are available: - **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_20H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. -- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -456,7 +457,7 @@ The following fields are available: - **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_20H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. -- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -472,7 +473,7 @@ The following fields are available: - **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -488,7 +489,7 @@ The following fields are available: - **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -504,7 +505,7 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -520,7 +521,7 @@ The following fields are available: - **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_20H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. -- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -536,7 +537,7 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_20H1** The total number of objects of this type present on this device. - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. -- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -579,7 +580,7 @@ The following fields are available: - **Wmdrm_19H1Setup** The total number of objects of this type present on this device. - **Wmdrm_20H1** The total number of objects of this type present on this device. - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. -- **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -1219,6 +1220,28 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd + +This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Blocking** Blocking information. +- **BlockingSystemGeneralScenario** Decision about upgrade eligibility based on RAM. +- **MemoryRequirementViolated** Memory information. +- **SystemRequirementViolatedGeneral** System requirement information. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync + +The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. @@ -1243,6 +1266,34 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd + +This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Armv81Support** Arm v8.1 Atomics support. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **CpuFamily** Cpu family. +- **CpuModel** Cpu model. +- **CpuStepping** Cpu stepping. +- **CpuVendor** Cpu vendor. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync + +The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd This event sends compatibility decision data about the CPU, to help keep Windows up to date. @@ -4796,6 +4847,29 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd + +This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **Manufacturer** Sensor manufacturer. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync + +This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly. @@ -5128,7 +5202,7 @@ The following fields are available: - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See IO. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. - **LastBootSucceeded** Flag indicating whether the last boot was successful. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. @@ -5716,6 +5790,36 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. + +## Other events + +### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties + +This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. + +The following fields are available: + +- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. +- **nodeOperatingSystem** A user friendly description of the node's OS version. +- **nodeOSVersion** A major or minor build version string for the node's OS. +- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. +- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -6925,20 +7029,6 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. -## Surface events - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## System Resource Usage Monitor events @@ -7772,7 +7862,7 @@ The following fields are available: - **DPRange** Maximum mean value range. - **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See Value. +- **Value** Standard UTC emitted DP value structure. ## Windows Store events @@ -8161,7 +8251,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCreate -This event sends simple data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8176,7 +8266,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCustomization -This event sends simple data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -9596,6 +9686,21 @@ The following fields are available: - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -9627,6 +9732,72 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U +### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation + +This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying interaction campaign being presented. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation + +This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrPresentation** Error, if any, occurring during the presentation. +- **InteractionCampaignID** GUID identifying the interaction campaign being presented. +- **ResultId** Result generated by the presentation. +- **WasCompleted** True if the interaction campaign is now considered complete. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 23b3637f84..d9cf6ceee1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/29/2021 +ms.date: 09/08/2021 --- @@ -38,7 +38,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -468,8 +469,17 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. +- **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -487,17 +497,62 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. @@ -510,10 +565,28 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -1173,6 +1246,31 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd + +This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Blocking information. +- **MemoryRequirementViolated** Memory information. +- **ramKB** Memory information in KB. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync + +The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. @@ -1212,6 +1310,8 @@ The following fields are available: - **CpuModel** Cpu model. - **CpuStepping** Cpu stepping. - **CpuVendor** Cpu vendor. +- **PlatformId** CPU platform identifier. +- **SysReqOverride** Appraiser decision about system requirements override. ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync @@ -1294,6 +1394,7 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. - **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **SysReqOverride** Appraiser decision about system requirements override. - **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. @@ -1534,7 +1635,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryTestAdd -This event provides diagnostic data for testing event adds. +This event provides diagnostic data for testing event adds to help keep windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2422,6 +2523,7 @@ The following fields are available: - **ProcessorManufacturer** Name of the processor manufacturer. - **ProcessorModel** Name of the processor model. - **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorPlatformSpecificField1** Registry value HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0, @Platform Specific Field 1. Platform Specific Field 1 of the Processor. Each vendor (e.g. Intel) defines the meaning differently. On Intel this is used to differentiate processors of the same generation, (e.g. Kaby Lake, KBL-G, KBL-H, KBL-R). - **ProcessorUpdateRevision** The microcode revision. - **ProcessorUpdateStatus** Enum value that represents the processor microcode load status - **SocketCount** Count of CPU sockets. @@ -3193,6 +3295,7 @@ The following fields are available: - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -3734,6 +3837,19 @@ The following fields are available: - **CV_new** New correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date. @@ -3748,6 +3864,19 @@ The following fields are available: - **hResult** HRESULT of the failure. +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date. @@ -4171,9 +4300,11 @@ The following fields are available: - **DeviceInstanceId** The unique identifier of the device in the system. - **FirstInstallDate** The first time a driver was installed on this device. +- **InstallFlags** Flag indicating how driver setup was called. - **LastDriverDate** Date of the driver that is being replaced. - **LastDriverInbox** Indicates whether the previous driver was included with Windows. - **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash. - **LastDriverVersion** The version of the driver that is being replaced. - **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). - **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). @@ -4475,43 +4606,43 @@ This event captures basic checksum data about the device inventory items stored The following fields are available: -- **Device** A count of device objects in the cache. -- **DeviceCensus** A count of device census objects in the cache. -- **DriverPackageExtended** A count of driverpackageextended objects in the cache. -- **File** A count of file objects in the cache. -- **FileSigningInfo** A count of file signing objects in the cache. -- **Generic** A count of generic objects in the cache. -- **HwItem** A count of hwitem objects in the cache. -- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health record objects in the cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version element objects in the cache. -- **InventoryApplication** A count of application objects in the cache. -- **InventoryApplicationAppV** A count of application AppV objects in the cache. -- **InventoryApplicationDriver** A count of application driver objects in the cache -- **InventoryApplicationFile** A count of application file objects in the cache. -- **InventoryApplicationFramework** A count of application framework objects in the cache -- **InventoryApplicationShortcut** A count of application shortcut objects in the cache -- **InventoryDeviceContainer** A count of device container objects in the cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in the cache. -- **InventoryDeviceMediaClass** A count of device media objects in the cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in the cache. -- **InventoryDeviceSensor** A count of device sensor objects in the cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in the cache -- **InventoryDriverBinary** A count of driver binary objects in the cache. -- **InventoryDriverPackage** A count of device objects in the cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in the cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in the cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in the cache. -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in the cache. -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in the cache. -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in the cache. -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in the cache. -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in the cache. -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in the cache. -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in the cache. -- **InventoryVersion** The version of the inventory components. -- **Metadata** A count of metadata objects in the cache. -- **Orphan** A count of orphan file objects in the cache. -- **Programs** A count of program objects in the cache. +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceSensor** A count of device sensors in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryVersion** The version of the inventory binary generating the events. +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. ### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions @@ -4550,6 +4681,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **AndroidPackageId** A unique identifier for an Android app. - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 @@ -4821,7 +4953,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -5326,9 +5458,10 @@ The following fields are available: - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -5351,15 +5484,17 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. - **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -5391,9 +5526,10 @@ The following fields are available: - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -5423,9 +5559,10 @@ The following fields are available: - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -5456,10 +5593,13 @@ The following fields are available: - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. +- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appLastLaunchTime** The time when browser was last launched. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. @@ -5476,9 +5616,11 @@ The following fields are available: - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventPackageCacheResult** Indicates whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key; 2 means there's a cache hit under a different key; 0 means that there's a cache miss; -1 means the field does not apply. - **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. - **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. - **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. @@ -5537,9 +5679,10 @@ The following fields are available: - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -5772,7 +5915,7 @@ The following fields are available: - **SourceOSVersion** The source version of the operating system. -## ONNX runtime events +## Other events ### Microsoft.ML.ONNXRuntime.ProcessInfo @@ -5798,6 +5941,402 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked + +This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted + +This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** The list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted + +This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted + +This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted + +This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr + +This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr + +This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete + +This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **ExpediteUpdatesInProgress** Comma delimited list of updates in progress. +- **ExpediteUsoCorrelationVector** The current USO correlation vector as surfaced from the USO store. +- **ExpediteUsoLastError** The last error as surfaced from the USO store. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired + +This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered. +- **ExpediteUsoCorrelationVector** The correlation vector from the USO session. +- **ExpediteUsoLastError** Last HResult from the current USO session. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted + +This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false). +- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan. +- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. +- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted + +This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. +- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). + + +### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd + +This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools. +- **PackageVersion** The package version label for currency tools. +- **UnifiedInstallerInstallResult** The final result code for the unified installer. +- **UnifiedInstallerPlatformResult** The result code from determination of the platform type. +- **UnifiedInstallerPlatformType** The enum indicating the platform type. + + +### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart + +This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** Counts the events at the global level for telemetry. +- **PackageVersion** The package version for currency tools. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. +- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. +- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. +- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. +- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. +- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. +- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU. +- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU. +- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU. +- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU. +- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU. +- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed. +- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. +- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. +- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. +- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. +- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved + +This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded + +This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. +- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed + +This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Telemetry event counter. +- **PackageVersion** Version label of the package sending telemetry. +- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted + +This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived + +This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentResults** The results from the push request. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus + +This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentResults** The results from the push request. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails + +The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. +- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. +- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. +- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. +- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. +- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin + +The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The global event counter counts the total events for the provider. +- **PackageVersion** The version for the current package. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin + +This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted + +This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -6487,21 +7026,6 @@ The following fields are available: ## Surface events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. @@ -6899,7 +7423,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **UpdateId** Unique ID for each update. -- **Version** Version of update. +- **Version** Version of update ### Update360Telemetry.UpdateAgentOneSettings @@ -9032,6 +9556,7 @@ The following fields are available: - **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. - **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. - **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **LanguageCode** The language used to display the interaction campaign. - **ResultId** The result of the evaluation/presentation. - **WasCompleted** True if the interaction campaign is complete. - **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. @@ -9058,6 +9583,7 @@ This event is sent when RUXIM completes checking with OneSettings to retrieve an The following fields are available: +- **ETagValue** eTag for sync. - **hrInitialize** Error, if any, that occurred while initializing OneSettings. - **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. @@ -9068,6 +9594,27 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U +### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation + +This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying interaction campaign being presented. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation + +This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrPresentation** Error, if any, occurring during the presentation. +- **InteractionCampaignID** GUID identifying the interaction campaign being presented. +- **ResultId** Result generated by the presentation. +- **WasCompleted** True if the interaction campaign is now considered complete. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -9112,384 +9659,6 @@ The following fields are available: - **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. - **Result** Overall result generated by the evaluation. -### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked - -This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited -- **ExpediteUpdatesInProgress** A list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version of the label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted - -This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** The list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version of the label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted - -This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** List of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted - -This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** A list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted - -This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** List of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr - -This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The ubr of the device. -- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr - -This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete - -This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The ubr of the device. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **ExpediteUpdatesInProgress** Comma delimited list of updates in progress. -- **ExpediteUsoCorrelationVector** The current USO correlation vector as surfaced from the USO store. -- **ExpediteUsoLastError** The last error as surfaced from the USO store. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired - -This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered. -- **ExpediteUsoCorrelationVector** The correlation vector from the USO session. -- **ExpediteUsoLastError** Last HResult from the current USO session. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted - -This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false). -- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation. -- **ExpediteUpdaterCurrentUbr** The UBR of the device. -- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. -- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan. -- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. -- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted - -This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The UBR of the device. -- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. -- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). - - -### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd - -This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools. -- **PackageVersion** The package version label for currency tools. -- **UnifiedInstallerInstallResult** The final result code for the unified installer. -- **UnifiedInstallerPlatformResult** The result code from determination of the platform type. -- **UnifiedInstallerPlatformType** The enum indicating the platform type. - - -### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart - -This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** Counts the events at the global level for telemetry. -- **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. -- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. -- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. -- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. -- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. -- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU. -- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU. -- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU. -- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU. -- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU. -- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed. -- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. -- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. -- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. -- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. -- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved - -This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version of the label. -- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded - -This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of remediation. -- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed - -This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Telemetry event counter. -- **PackageVersion** Version label of the package sending telemetry. -- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted - -This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived - -This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. -- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification. -- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. -- **UpdateHealthToolsPushCurrentResults** The results from the push request. -- **UpdateHealthToolsPushCurrentStep** The current step for the push notification. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus - -This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. -- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. -- **UpdateHealthToolsPushCurrentResults** The results from the push request. -- **UpdateHealthToolsPushCurrentStep** The current step for the push notification - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails - -The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user. -- **PackageVersion** The package version of the label. -- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. -- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. -- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. -- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. -- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. -- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. -- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin - -The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** The global event counter counts the total events for the provider. -- **PackageVersion** The version for the current package. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin - -This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user. -- **PackageVersion** The package version of the label. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted - -This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of remediation. - ### wilActivity @@ -9712,6 +9881,7 @@ This event is sent when the Update Reserve Manager clears one of the reserves. T The following fields are available: - **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared. +- **Flags** The context of clearing the reserves. - **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared. - **ReserveId** The ID of the reserve that needs to be cleared. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 826c5527fe..af05ed7135 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -1,6 +1,6 @@ --- title: Changes to Windows diagnostic data collection -description: This article provides information on changes to Windows diagnostic data collection Windows 10. +description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11. keywords: privacy, diagnostic data ms.prod: w10 ms.mktglfcycl: manage @@ -13,34 +13,32 @@ author: dansimp manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/21/2020 +ms.date: 10/04/2021 --- # Changes to Windows diagnostic data collection **Applies to** -- Windows 10, version 1903 and newer -- The next version of Windows Server +- Windows 11 +- Windows 10, version 1903 and later +- Windows Server 2022 -Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide. +Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide. This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas: - [Taxonomy changes](#taxonomy-changes) - [Behavioral changes](#behavioral-changes) -> [!NOTE] -> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later. - ## Summary of changes -In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes. +In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes. -Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**. +Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**. ## Taxonomy changes -Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes: +Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes: - The **Basic** diagnostic data level is being labeled as **Required**. - The **Full** diagnostic data level is being labeled as **Optional**. @@ -50,9 +48,9 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience ## Behavioral changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). +Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. -Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11: +Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2): | Policy type | Current policy | Renamed policy | | --- | --- | --- | @@ -69,18 +67,7 @@ A final set of changes includes two new policies that can help you fine-tune dia - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection** - MDM policy: System/LimitDiagnosticLogCollection ->[!Important] ->All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. - -## Configure a Windows 11 device to limit crash dumps and logs - -With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them: - -1. Choose to send optional diagnostic data by setting one of the following policies: - - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**. Set the policy value to **Send optional diagnostic data**. - - MDM: System/AllowTelemetry. Set the policy value to **3**. -2. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection** -3. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection** +For more info, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). ## Services that rely on Enhanced diagnostic data @@ -93,12 +80,12 @@ The following provides information on the current configurations: ## New Windows diagnostic data processor configuration -**Applies to** -- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer +Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. This configuration option is supported on the following versions of Windows: -Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. +- Windows 11 Enterprise, Professional, and Education +- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update. -Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether. +Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether. Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 25b389048a..99c3bb9e74 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,6 +1,6 @@ --- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) +description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) keywords: privacy ms.prod: w10 ms.mktglfcycl: manage @@ -13,38 +13,40 @@ ms.author: dansimp manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/13/2020 +ms.date: 10/04/2021 --- # Configure Windows diagnostic data in your organization **Applies to** +- Windows 11 Enterprise +- Windows 11 Education +- Windows 11 Professional - Windows 10 Enterprise - Windows 10 Education - Windows 10 Professional -- Windows Server 2016 and newer +- Windows Server 2016 and later +- Surface Hub +- Hololens -This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. - ->[!IMPORTANT] ->Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md). +This topic describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. ## Overview Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs. -For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). ### Diagnostic data gives users a voice -Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits. +Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits. ### _Improve app and driver quality_ Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers used on Windows. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. -For example, in an earlier version of Windows 10 there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. +For example, in an earlier version of Windows there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. ### _Improve end-user productivity_ @@ -54,7 +56,7 @@ Windows diagnostic data also helps Microsoft better understand how customers use - **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. ## How Microsoft handles diagnostic data @@ -66,7 +68,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be - Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component. - - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component. + - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experiences and Telemetry component. - Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). @@ -78,7 +80,7 @@ All diagnostic data is encrypted using Transport Layer Security (TLS) and uses c ### Endpoints -The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 1903](manage-windows-1903-endpoints.md). +The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see the **Manage connection endpoints** section of the left-hand navigation menu. | Windows service | Endpoint | | - | - | @@ -86,7 +88,7 @@ The following table lists the endpoints related to how you can manage the collec | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com

      watson.microsoft.com

      umwatsonc.telemetry.microsoft.com

      umwatsonc.events.data.microsoft.com

      *-umwatsonc.events.data.microsoft.com

      ceuswatcab01.blob.core.windows.net

      ceuswatcab02.blob.core.windows.net

      eaus2watcab01.blob.core.windows.net

      eaus2watcab02.blob.core.windows.net

      weus2watcab01.blob.core.windows.net

      weus2watcab02.blob.core.windows.net | |Authentication | login.live.com



      IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.| | [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com

      oca.microsoft.com

      kmwatsonc.telemetry.microsoft.com

      *-kmwatsonc.telemetry.microsoft.com | -|Settings | settings-win.data.microsoft.com



      IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data | +|Settings | settings-win.data.microsoft.com



      IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. | ### Data access @@ -102,7 +104,7 @@ There are four diagnostic data collection settings. Each setting is described in - Diagnostic data off (Security) - Required diagnostic data (Basic) -- Enhanced +- Enhanced (This setting is only available on devices running Windows 10, Windows Server 2016, and Windows Server 2019.) - Optional diagnostic data (Full) Here’s a summary of the types of data that is included with each setting: @@ -111,14 +113,14 @@ Here’s a summary of the types of data that is included with each setting: | --- | --- | --- | --- | --- | | **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.| | **Crash Metadata** | N/A | Yes | Yes | Yes | -| **Crash Dumps** | N/A | No | Triage dumps only

      For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps

      For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | +| **Crash Dumps** | N/A | No | Triage dumps only

      For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full and triage memory dumps

      For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | | **Diagnostic logs** | N/A | No | No | Yes | | **Data collection** | N/A | 100% | Sampling applies | Sampling applies | ### Diagnostic data off -This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education. If you choose this setting, devices in your organization will still be secure. +This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure. >[!NOTE] > If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. @@ -127,7 +129,7 @@ This setting was previously labeled as **Security**. When you configure this set Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. -This is the default setting for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903. +This is the default setting for current releases of Windows, Windows 10, version 1903. Required diagnostic data includes: @@ -157,10 +159,12 @@ Required diagnostic data includes: ### Enhanced diagnostic data ->[!NOTE] ->We’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md). +In Windows 10 and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. -Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information: +>[!Important] +>This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are available in the **Manage diagnostic data using Group Policy and MDM** section of this topic. + +When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information: - Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. @@ -187,7 +191,7 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed >[!Note] >Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). -## Manage enterprise diagnostic data +## Manage diagnostic data using Group Policy and MDM Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization. @@ -214,16 +218,42 @@ You can use Group Policy to set your organization’s diagnostic data setting: 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. -2. Double-click **Allow Telemetry**. +2. Double-click **Allow Telemetry** (or **Allow diagnostic data** on Windows 11 and Windows Server 2022). > [!NOTE] - > If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set. + > If devices in your organization are running Windows 10, 1803 and later, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set. + +3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. + + +### Use Group Policy to manage optional diagnostic data collection + +The following policy lets you limit the types of [crash dumps](/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Limit dump collection**. + +3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. + +You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Limit diagnostic log collection**. 3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. ### Use MDM to manage diagnostic data collection -Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy. +Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the following MDM policies: + + - System/AllowTelemetry + - System/LimitDumpCollection + - System/LimitDiagnosticLogCollection + +> [!NOTE] +> The last two policies are only available on Windows 11 and Windows Server 2022. ## Enable Windows diagnostic data processor configuration @@ -231,7 +261,9 @@ The Windows diagnostic data processor configuration enables you to be the contro ### Prerequisites -- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer. +- The device must be any of the following releases of Windows: + - Windows 11 Enterprise, Professional, or Education edition + - Windows 10 Enterprise, Education, or Professional edition, version 1809 with July 2021 update or later. - The device must be joined to Azure Active Directory. The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: @@ -295,5 +327,3 @@ For more information about how to limit the diagnostic data to the minimum requi ## Change privacy settings on a single server You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings). - -To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data). \ No newline at end of file diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index dc9a127179..7818a1c9ef 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -1,5 +1,5 @@ --- -title: Diagnostic Data Viewer Overview (Windows 10) +title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11) description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device. keywords: privacy ms.prod: w10 @@ -21,9 +21,10 @@ ms.reviewer: **Applies to** -- Windows 10, version 1803 and newer +- Windows 10, version 1803 and later and Windows 11 ## Introduction + The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. ## Install and Use the Diagnostic Data Viewer @@ -31,9 +32,11 @@ The Diagnostic Data Viewer is a Windows app that lets you review the Windows dia You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. ### Turn on data viewing + Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history. **To turn on data viewing** + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. @@ -41,21 +44,24 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn ![Location to turn on data viewing.](images/ddv-data-viewing.png) ### Download the Diagnostic Data Viewer + Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. > [!Important] > It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./microsoft-diagnosticdataviewer.md). ### Start the Diagnostic Data Viewer + You can start this app from the **Settings** panel. **To start the Diagnostic Data Viewer** + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)

      -OR-

      - + Go to **Start** and search for _Diagnostic Data Viewer_. 3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. @@ -64,18 +70,19 @@ You can start this app from the **Settings** panel. >Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Use the Diagnostic Data Viewer + The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data. - **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. - + >[!Important] >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. ![View your diagnostic events.](images/ddv-event-view.jpg) -- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. +- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. Selecting an event opens the detailed JSON view, with the matching text highlighted. @@ -83,31 +90,34 @@ The Diagnostic Data Viewer provides you with the following features to view and - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. - To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. - + >[!Important] >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. - **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft. Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more. - + >[!Important] >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) ## View Office Diagnostic Data + By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). ## Turn off data viewing + When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history. **To turn off data viewing** + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. @@ -115,23 +125,25 @@ When you're done reviewing your diagnostic data, you should turn of data viewing ![Location to turn off data viewing.](images/ddv-settings-off.png) ## Modifying the size of your data history -By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + +By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. > [!Important] > Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. **Modify the size of your data history** - + To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. > [!Important] > Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. ## View additional diagnostic data in the View problem reports tool -Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. -This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. -We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. +Available on Windows 10 1809 and higher and Windows 11, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. + +This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. +We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. You can also use the Windows Error Reporting tool available in the Control Panel. @@ -139,7 +151,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. -![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) +![Starting with Windows 1809 and higher and Windows 11, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) **To view your Windows Error Reporting diagnostic data using the Control Panel** diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md new file mode 100644 index 0000000000..5ad54e7a9e --- /dev/null +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -0,0 +1,122 @@ +--- +title: Essential services and connected experiences for Windows +description: Explains what the essential services and connected experiences are for Windows +keywords: privacy, manage connections to Microsoft +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: siosulli +ms.author: dansimp +manager: dansimp +ms.date: +--- + +# Essential services and connected experiences for Windows + +**Applies to** + +- Windows 11 +- Windows 10, version 1903 and later + +Windows includes features that connect to the internet to provide enhanced experiences and additional service-based capabilities. These features are called connected experiences. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. + +When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data can also include information needed by a connected experience to perform its task, such as configuration information about Windows. + +The connected experiences you choose to use in Windows will impact what required service data is sent to us. + +Required service data is also collected and sent to Microsoft for essential services. Essential services are used to keep the product **secure, up to date, performing as expected** or are **integral** to how the product works. For example, the licensing service that confirms that you’re properly licensed to use Windows. + +Although enterprise admins can turn off most essential services, we recommend, where applicable, you consider hosting the services on-premises and carefully assess the impact of turning off remaining services. The following list describes the essential services and connected experiences that are available to you in Windows and provides links to further information about each one. + +> [!NOTE] +> The information in this article describes the most common connected experiences and essential services. We will continue to update our list of connected experiences over time as Windows evolves. + +## Windows essential services + +| **Essential service** | **Description** | +| --- | --- | +|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
      To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
      If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
      To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).| +| Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
      To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).| +| Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
      To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).| +| Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
      To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).| +| Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
      To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).| +| Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.
      To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| +| Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
      Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
      To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| +| Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
      To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| + +## Windows connected experiences + +| **Connected experience** | **Description** | +| --- | --- | +|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account.
      To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). | +|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
      To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). | +| Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
      To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). | +| Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
      If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
      To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). | +| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
      To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinpu.md#textinput-touchkeyboardemojibuttonavailability). | +| Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
      To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). | +| Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
      To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). | +| Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
      To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.
      To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). | +| OneDrive | OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.
      To turn off OneDrive, see [OneDrive](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#16-onedrive). | +| Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
      To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). | +| Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
      To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). | +| Windows backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
      To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). | +| Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. | +| Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).
      To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). | +| Windows Search | Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
      To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). | +| Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
      Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
      To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). | + +## Microsoft Edge essential services and connected experiences + +Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience.
      You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge). + +## IE essential services and connected experiences + +Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer. + +> [!NOTE] +> Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences.
      To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#8-internet-explorer). + +| **Connected experience** | **Description** | +| --- | --- | +|ActiveX Filtering|ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without a user's permission.
      ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps which, can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on.
      Note: To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls. | +|Suggested Sites|Suggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.| +| Address Bar and Search suggestions | With search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information, it will be sent to the default search provider. | +| Auto-complete feature for web addresses | The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. | +| Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. | +| Compatibility View | Compatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing. | +| Flip ahead | Flip ahead enables users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting, users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website. | +| Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. | +| Accelerators | Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options.
      For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word. | +| Pinning websites to Start | When a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has. | + +## Related links + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Connected Experiences in Office](/deployoffice/privacy/connected-experiences.md) +- [Essential Services in Office](/deployoffice/privacy/essential-services.md) + +To view endpoints for Windows Enterprise, see: + +- [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md) +- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows editions, see: + +- [Windows 11 connection endpoints for non-Enterprise editions](windows-11-endpoints-non-enterprise-editions.md) +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) +- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) \ No newline at end of file diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index 2fd2b1fc97..63d295f52a 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -14,7 +14,7 @@ metadata: author: dansimp ms.author: dansimp manager: dansimp - ms.date: 07/21/2020 #Required; mm/dd/yyyy format. + ms.date: 09/08/2021 #Required; mm/dd/yyyy format. ms.localizationpriority: high # highlightedContent section (optional) @@ -37,25 +37,25 @@ highlightedContent: # productDirectory section (optional) productDirectory: - title: Understand Windows diagnostic data in Windows 10 - summary: For the latest Windows 10 version, learn more about what Windows diagnostic data is collected at various diagnostics levels. + title: Understand Windows diagnostic data in Windows 10 and Windows 11 + summary: For the latest Windows 10 version and Windows 11, learn more about what Windows diagnostic data is collected under the different settings. items: # Card - - title: Required diagnostic data + - title: Windows 11 required diagnostic data # imageSrc should be square in ratio with no whitespace imageSrc: https://docs.microsoft.com/media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. - url: required-windows-diagnostic-data-events-and-fields-2004.md + url: required-windows-11-diagnostic-events-and-fields.md + # Card + - title: Windows 10 required diagnostic data + imageSrc: https://docs.microsoft.com/media/common/i_build.svg + summary: See what changes Windows is making to align to the new data collection taxonomy + url: required-windows-diagnostic-data-events-and-fields-2004.md # Card - title: Optional diagnostic data imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg summary: Get examples of the types of optional diagnostic data collected from Windows url: windows-diagnostic-data.md - # Card - - title: Changes to Windows diagnostic data collection - imageSrc: https://docs.microsoft.com/media/common/i_build.svg - summary: See what changes Windows is making to align to the new data collection taxonomy - url: changes-to-windows-diagnostic-data-collection.md # conceptualContent section (optional) # conceptualContent: diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 27e6a0cc39..482413653a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -14,19 +14,20 @@ manager: robsize ms.date: 12/1/2020 --- -# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server +# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server **Applies to** -- Windows 10 Enterprise 1903 version and newer +- Windows 11 +- Windows 10 Enterprise 1903 version and newer -This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. +> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 and Windows 11 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 and Windows 11 devices. >- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. >- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. >- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. @@ -36,16 +37,16 @@ This article describes the network connections that Windows 10 components make t For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/). -For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. -## Settings for Windows 10 Enterprise edition 1903 and newer +## Settings for Windows 10 Enterprise edition 1903 and later and Windows 11 The following table lists management options for each setting. -For Windows 10, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +For Windows 10 and Windows 11, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). 1. **Automatic Root Certificates Update** 1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices. @@ -104,7 +105,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi 1. **OneDrive** 1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)** - 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files. + 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 or Windows 11 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files. 1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\** @@ -135,33 +136,33 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi 1. App Diagnostics - [Privacy/LetAppsGetDiagnosticInfo](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo). Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)** 1. **Software Protection Platform** - [Licensing/DisallowKMSClientOnlineAVSValidation](/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation). Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)** 1. **Storage Health** - [Storage/AllowDiskHealthModelUpdates](/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates). Allows disk health model updates. **Set to 0 (zero)** -1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)** -1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM. -1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer. +1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)** +1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM. +1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and later or Windows 11. 1. **Windows Defender** - 1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** + 1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** 1. [Defender/SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)** 1. [Defender/EnableSmartScreenInShell](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)** 1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)** - 1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** + 1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** 1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** 1. [Defender/SignatureUpdateFallbackOrder](). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares** 1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)** 1. **Microsoft Store** 1. [ApplicationManagement/DisableStoreOriginatedApps](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** 1. [ApplicationManagement/AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** -1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** +1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** 1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). 1. [DeliveryOptimization/DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)** 1. **Windows Update** 1. [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)** 1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** - 1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value: + 1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value: 1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\** ### Allowed traffic for Microsoft Intune / MDM configurations -|**Allowed traffic endpoints** | +|**Allowed traffic endpoints** | --- | |activation-v2.sls.microsoft.com/*| |cdn.onenote.net| diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f1f0d9469a..aef42b510b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1,5 +1,5 @@ --- -title: Manage connections from Windows 10 operating system components to Microsoft services +title: Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 ms.reviewer: @@ -17,17 +17,18 @@ ms.topic: article ms.date: 5/21/2021 --- -# Manage connections from Windows 10 operating system components to Microsoft services +# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services **Applies to** -- Windows 10 Enterprise, version 1607 and newer +- Windows 11 Enterprise +- Windows 10 Enterprise, version 1607 and later - Windows Server 2016 - Windows Server 2019 -This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. @@ -42,7 +43,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode. > - During update or upgrade of Windows, egress traffic may occur. -To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md). +To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. @@ -50,9 +51,9 @@ We are always striving to improve our documentation and welcome your feedback. Y The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections -### Settings for Windows 10 Enterprise edition +### Settings for Windows 10 and Windows 11 Enterprise edition -The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. +The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11. | Setting | UI | Group Policy | Registry | @@ -74,7 +75,7 @@ The following table lists management options for each setting, beginning with Wi | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | -| [18. Settings > Privacy](#bkmk-settingssection) | | | | +| [18. Settings > Privacy & security](#bkmk-settingssection) | | | | |     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | |     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | |     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -130,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [18. Settings > Privacy](#bkmk-settingssection) | | | | +| [18. Settings > Privacy & security](#bkmk-settingssection) | | | | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -186,7 +187,7 @@ See the following table for a summary of the management settings for Windows Ser | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | -| [18. Settings > Privacy](#bkmk-settingssection) | | | | +| [18. Settings > Privacy & security](#bkmk-settingssection) | | | | |     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -237,7 +238,7 @@ Although not recommended, you can turn off Automatic Root Certificates Update, w > [!CAUTION] > By not automatically downloading the root certificates the device may not be able to connect to some websites. -For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: +For Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2016 Server Core, and Windows 11: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** @@ -293,7 +294,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] -> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. +> Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. 1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. @@ -389,21 +390,21 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: ### 7. Insider Preview builds -The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This setting stops communication with the Windows Insider Preview service that checks for new builds. -Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016. +The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10 and Windows 11. This setting stops communication with the Windows Insider Preview service that checks for new builds. +Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are not available for Windows Server 2016. > [!NOTE] > If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Optional (Full)**. Although the diagnostic data level may initially appear as **Required (Basic)**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Optional (Full)**. -To turn off Insider Preview builds for a released version of Windows 10: +To turn off Insider Preview builds for a released version of Windows 10 or Windows 11: - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. -To turn off Insider Preview builds for Windows 10: +To turn off Insider Preview builds for Windows 10 and Windows 11: > [!NOTE] -> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. +> If you're running a preview version of Windows 10 or Windows 11, you must roll back to a released version before you can turn off Insider Preview builds. - Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. @@ -529,7 +530,7 @@ To turn off Live Tiles: - Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)** -In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. +In Windows 10 or Windows 11 Mobile, you must also unpin all tiles that are pinned to Start. ### 11. Mail synchronization @@ -548,7 +549,7 @@ To turn off the Windows Mail app: ### 12. Microsoft Account -Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher and Windows 11. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). To disable the Microsoft Account Sign-In Assistant: @@ -657,7 +658,7 @@ You can turn off the ability to download and update offline maps. -and- -- In Windows 10, version 1607 and later, **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** +- In Windows 10, version 1607 and later, and Windows 11 **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** -or- @@ -805,9 +806,9 @@ To remove the Sticky notes app: - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** -### 18. Settings > Privacy +### 18. Settings > Privacy & security -Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. +Use Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - [18.1 General](#bkmk-general) @@ -1268,7 +1269,7 @@ In the **Other Devices** area, you can choose whether devices that aren't paired To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: -- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**. +- Turn off the feature in the UI by going to Settings > Privacy & security > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**. -or- @@ -1342,7 +1343,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic - Create a REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a **value of 0**. > [!NOTE] -> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition. +> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 and Windows 11 Enterprise edition. To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: @@ -1380,7 +1381,7 @@ To turn off **Let apps run in the background**: -or- -- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**. +- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above and Windows 11): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**. -or- @@ -1527,7 +1528,7 @@ To turn this Off in the UI: Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: -**For Windows 10:** +**For Windows 10 and Windows 11:** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** @@ -1555,7 +1556,7 @@ Enterprise customers can manage their Windows activation status with volume lice Enterprise customers can manage updates to the Disk Failure Prediction Model. -For Windows 10: +For Windows 10 and Windows 11: - **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model** -or- @@ -1723,12 +1724,12 @@ In Group Policy, configure: Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy. -If you're running Windows 10, version 1607 or later, you need to: +If you're running Windows 10, version 1607 or later, or Windows 11, you need to: - **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** > [!NOTE] - > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. + > This must be done within 15 minutes after Windows 10 or Windows 11 is installed. Alternatively, you can create an image with this setting. -or- @@ -1840,11 +1841,11 @@ You can turn off apps for websites, preventing customers who visit websites that Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. -By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. +By default, PCs running Windows 10 or Windows 11 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. -In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below. +In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below. ### 28.1 Settings > Update & security @@ -1933,7 +1934,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre ### 30. Cloud Clipboard -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices. +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 and Windows 11 devices. Most restricted value is 0. diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md new file mode 100644 index 0000000000..718e6bdc07 --- /dev/null +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -0,0 +1,159 @@ +--- +title: Connection endpoints for Windows 11 Enterprise +description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11. +keywords: privacy, manage connections to Microsoft, Windows 11 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- + +# Manage connection endpoints for Windows 11 Enterprise + +**Applies to** + +- Windows 11 Enterprise + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 11 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + + +## Windows 11 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires this endpoint to contact external websites.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Microsoft Defender Antivirus|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md new file mode 100644 index 0000000000..427beac9b9 --- /dev/null +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -0,0 +1,157 @@ +--- +title: Connection endpoints for Windows 10 Enterprise, version 21H1 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1. +keywords: privacy, manage connections to Microsoft, Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- + +# Manage connection endpoints for Windows 10 Enterprise, version 21H1 + +**Applies to** + +- Windows 10 Enterprise, version 21H1 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 21H1 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md new file mode 100644 index 0000000000..246577e395 --- /dev/null +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -0,0 +1,8338 @@ +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Required Windows 11 diagnostic events and fields +keywords: privacy, telemetry +ms.prod: w11 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 10/04/2021 +--- + + +# Required Windows 11 diagnostic events and fields + +> [!IMPORTANT] +> Windows is moving to classifying the data collected from customer’s devices as either Required or Optional. + + + **Applies to** + +- Windows 11 + + +Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. + +Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## AppPlatform events + +### AppPlatform.InstallActivity + +This event is required to track health of the install pipeline on the console. It tracks the install, the type of install, and the error codes hit during the install. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BuildId** The unique identifier for this build. +- **BuildVer** The build number for the set of binaries being installed. +- **ClientAppId** Represents an optional identifier for the client application or service that initiated the install. +- **ContentId** The Content ID of the package. Key for content updates. +- **ContentType** The type of content being installed, mapped from XVD_CONTENT_TYPE. +- **Cv** The correlation vector for this install or action. If this is the Cv to a specific action, the RelatedCv field will contain the Cv for the install. +- **DestinationHardwareID** The hardware ID of the destination device, if it is external storage. Empty if not an external storage device. +- **DestinationPath** The path to the destination we are installing to. +- **DownloadSize** The size in bytes needed to download the package. +- **ErrorText** Optional text describing any errors. +- **InstallationActionId** The type of action ( 0 - Unknown, 1 - Install Started, 2 - Install Paused, 3 - Install Resumed, 4 - Installation Ready to Play, 5 - Change Source (Merged Install), 6 - Install Error, 7 - Install Complete, 8 - Install Aborted, 9 - Change Source (Auto Select), 10 - Change Source (Apply Update)) +- **InstallationErrorSource** The source of the error: 0 - None, 1 - Optical Drive, 2 - Network, 3 - Local, 4 - Destination, 5 - Licensing, 6 - Registration, 7 - Other +- **InstallationSessionId** The unique Identifier for the installation session of this install. Goes from ‘Start’ to ‘End’ and all chunks/points in between. +- **InstallationStageId** The stage of install ( 0 - Unknown, 1 - Package, 2 - Pls ) +- **InstallationStatus** HRESULT of the installation. Should be null except for the end or error events. +- **InstallationTypeId** The type of install ( 0 - Unknown, 1 - Network, 2 - Disc, 3 - Hybrid, 4 - Update, 5 - Move, 6 - Copy ). +- **OriginalStatus** The untransformed error code. The transformed, public value is stored in InstallationStatus. +- **PackageSize** The size in bytes of the package. +- **PackageSpecifiers** The map of Intelligent Delivery region specifiers present in the installing package. +- **PlanId** The ID of the streaming plan being used to install the content. +- **ProductId** The product ID of the application associated with this event. +- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an actiuon tracked by a correlation vector. +- **RequestSpecifiers** The map of Intelligent Delivery region specifiers requested by the system/user/title as a part of the install activity. +- **SourceHardwareID** The hardware ID of the source device, if it is external storage. Empty if not an external storage device. +- **SourcePath** The source path we are installing from. May be a CDN (Content Delivery Network) or a local disk drive. +- **TotalPercentComplete** The percent of install that is complete. +- **XvddType** The type of the streaming operation as determined by the XVDD driver. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS2** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionTest_19H1** The total number of objects of this type present on this device. +- **DecisionTest_21H1** The total number of objects of this type present on this device. +- **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_RS2** The total number of objects of this type present on this device. +- **DecisionTest_RS3** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_21H1** The total number of objects of this type present on this device. +- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS2** The total number of objects of this type present on this device. +- **Wmdrm_RS3** The total number of objects of this type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **IsBootCritical** Indicates whether the device boot is critical. +- **SdbEntries** Deprecated in RS3. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent and helps to keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd + +This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **HostOsSku** The SKU of the Host OS. +- **LockdownMode** S mode lockdown mode. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateRemove + +This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync + +The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd + +This event indicates that this object type was added. This data refers to the Disk size in the device. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser decision during evaluation of hardware requirements during OS upgrade. +- **TotalSize** Total disk size in Mb. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeRemove + +This event indicates that the DecisionSystemDiskSize object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync + +Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd + +This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Blocking information. +- **ramKB** Memory information in KB. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryRemove + +This event indicates that the DecisionSystemMemory object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync + +The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd + +This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** The Appraisal decision about eligibility to upgrade. +- **CpuCores** Number of CPU Cores. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresRemove + +This event indicates that the DecisionSystemProcessorCpuCores object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync + +This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd + +This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Armv81Support** Arm v8.1 Atomics support. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **CpuFamily** Cpu family. +- **CpuModel** Cpu model. +- **CpuStepping** Cpu stepping. +- **CpuVendor** Cpu vendor. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelRemove + +This event indicates that the DecisionSystemProcessorCpuModel object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync + +The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd + +This event sends compatibility decision data about the CPU, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser OS eligibility decision. +- **Mhz** CPU speed in MHz. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedRemove + +This event indicates that the DecisionSystemProcessorCpuSpeed object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync + +This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTestAdd + +This event provides diagnostic data for testing decision add events. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser binary generating the events. +- **TestDecisionDataPoint1** Test data point 1. +- **TestDecisionDataPoint2** Test data point 2. + + +### Microsoft.Windows.Appraiser.General.DecisionTestRemove + +This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTestStartSync + +This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd + +This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionRemove + +This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync + +The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd + +This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision when checking for UEFI support. +- **SecureBootCapable** Is UEFI supported? +- **SecureBootEnabled** Is UEFI enabled? + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootRemove + +This event indicates that the DecisionUefiSecureBoot object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync + +Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryTestAdd + +This event provides diagnostic data for testing event adds to help keep windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the component sending the data. +- **TestInvDataPoint1** Test inventory data point 1. +- **TestInvDataPoint2** Test inventory data point 2. + + +### Microsoft.Windows.Appraiser.General.InventoryTestRemove + +This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryTestStartSync + +This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **CountCustomSdbs** The number of custom Sdbs used by Appraiser. +- **CustomSdbGuids** Guids of the custom Sdbs used by Appraiser; Semicolon delimited list. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser diagnostic data run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +This event sends version data about the Apps running on this device, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **CensusVersion** The version of Census that generated the current data for this device. + + +### Census.Azure + +This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **CloudCoreBuildEx** The Azure CloudCore build number. +- **CloudCoreSupportBuildEx** The Azure CloudCore support build number. +- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware contrent. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **EnclosureKind** Windows.Devices.Enclosure.EnclosureKind enum values representing each unique enclosure posture kind. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry. +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of. +- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WifiData** Current state of the Wi-Fi data setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +This event sends data about the processor to help keep Windows up to date. + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled. +- **NGCSecurityProperties** String representation of NGC security information. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature. +- **SModeState** The Windows S mode trail state. +- **SystemGuardState** Indicates the SystemGuard state. NotCapable (0), Capable (1), Enabled (2), Error (0xFF). +- **TpmReadyState** Indicates the TPM ready state. NotReady (0), ReadyForStorage (1), ReadyForAttestation (2), Error (0xFF). +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. +- **WdagPolicyValue** The Windows Defender Application Guard policy. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WifiData** Current state of the Wi-Fi data setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **IsWVDSessionHost** Indicates if this is a Windows Virtual Device session host. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. +- **VMId** A string that identifies a virtual machine. +- **WVDEnvironment** Represents the WVD service environment to which this session host has been joined. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **IsHotPatchEnrolled** Represents the current state of the device in relation to enrollment in the hotpatch program. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WULCUVersion** Version of the LCU Installed on the machine. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Cloud experience host events + +### Microsoft.Windows.Shell.CloudExperienceHost.AppActivityRequired + +This event is a WIL activity starting at the beginning of the Windows OOBE CloudExperienceHost scenario, and ending at the scenario completion. Its main purpose is to help detect blocking errors occurring during OOBE flow. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **appResult** The AppResult for the CXH OOBE scenario, e.g. "success" or "fail". This is logged on scenario completion, i.e. with the stop event. +- **experience** A JSON blob containing properties pertinent for the CXH scenario launch, with PII removed. Examples: host, port, protocol, surface. Logged on the start event. +- **source** The scenario for which CXH was launched. Since this event is restricted to OOBE timeframe, this will be FRXINCLUSIVE or FRXOOBELITE. Logged with the start event. +- **wilActivity** Common data logged with all Wil activities. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Shell.CloudExperienceHost.ExpectedReboot + +This event fires during OOBE when an expected reboot occurs- for example, as a result of language change or autopilot. The event doesn't fire if the user forcibly initiates a reboot/shutdown. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **wilActivity** Common data logged with all Wil activities. + + +## Code Integrity events + +### Microsoft.Windows.Security.CodeIntegrity.State.Current + +This event indicates the overall CodeIntegrity Policy state and count of policies, fired on reboot and when policy changes rebootlessly. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **EModeEnabled** Whether policy that defines "E Mode" is present and active on device. +- **GlobalCiPolicyState** Bitfield containing global CodeIntegrity State (Audit Mode, etc.). +- **PolicyCount** Number of CodeIntegrity policies present on device. + + +### Microsoft.Windows.Security.CodeIntegrity.State.IsProductionConfiguration + +This event logs device production configuration status information. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **ErrorCode** Error code returned by WldpIsProductionConfiguration API. +- **FailedConfigurationChecks** Bits indicating list of configuration checks that the device failed. +- **RequiredConfigurationChecks** Bits indicating list of configuration checks that are required to run for the device. +- **WldpIsWcosProductionConfiguration** Boolean value indicating whether the device is properly configured for production or not. + + +### Microsoft.Windows.Security.CodeIntegrity.State.PolicyDetails + +This individual policy state event fires once per policy on reboot and whenever any policy change occurs rebootlessly. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **BasePolicyId** ID of the base policy this policy supplements if this is a supplemental. Same as PolicyID if this is a base policy. +- **IsBasePolicy** True if this is a base policy. +- **IsLegacyPolicy** True if this policy is one of the legacy policy types (WinSiPolicy/AtpSiPolicy/SiPolicy.p7b), as opposed to being the new multiple policy format (guid.cip). +- **PolicyAllowKernelSigners** Whether Secureboot allows custom kernel signers for the policy's SignatureType. +- **PolicyCount** Total number of policies. +- **PolicyHVCIOptions** HVCI related bitfield. +- **PolicyId** ID of this policy. +- **PolicyIndex** Index of this policy in total number of policies. +- **PolicyInfoId** String ID defined in policy securesettings. +- **PolicyInfoName** String policy name defined in securesettings. +- **PolicyOptions** Bitfield of RuleOptions defined in policy. +- **PolicyVersionEx** Policy version # used for rollback protection of signed policy. +- **SignatureType** Enum containing info about policy signer if one is present (e.g. windows signed). + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.mscv + +Describes the correlation vector-related fields. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. +- **ver** The version of the logging SDK. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **pgName** The short form of the provider group name associated with the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **providerGuid** The ETW provider ID associated with the provider name. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. +- **wcmp** The Windows Shell Composer ID. +- **wPId** The Windows Core OS product ID. +- **wsId** The Windows Core OS session ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update to keep Windows up to date. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + +### CbsServicingProvider.CbsUpdateDeferred + +This event reports the results of deferring Windows Content to keep Windows up to date. + + + +### Microsoft.Windows.CbsLite.CbsLiteFinalizeCommit + +The event reports basic information about the end of the last phase of updates. The data collected with this event is used to keep windows up to date. + +The following fields are available: + +- **bootAvailable** Indicates if storage pool version supports Oneshot Boot functionality. +- **cbsLiteSessionID** An ID to associate other cbs events related to this update session. +- **duration** The number of milliseconds taken to complete the operation. +- **result** The return code of the operation. + + +### Microsoft.Windows.CbsLite.CbsLiteUpdateReserve + +This event updates the size of the update reserve on WCOS devices. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **cbsLiteSessionID** The ID of the CBS Lite Session. +- **CurrentReserveCapacityBytes** Indicates the size of the reserve before the change. +- **NewReserveCapacityBytes** Indicates the new size of the reserve. +- **ReserveId** The ID of the reserve changed. +- **Result** The return code for the operation. + + +## Deployment events + +### Microsoft.Windows.Deployment.Imaging.AppExit + +This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hr** HResult returned from app exit. +- **totalTimeInMs** Total time taken in Ms. + + +### Microsoft.Windows.Deployment.Imaging.AppInvoked + +This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **branch** Corresponding branch for the image. +- **isInDbg** Whether the app is in debug mode or not. +- **isWSK** Whether the app is building images using WSK or not. + + +### Microsoft.Windows.Deployment.Imaging.Failed + +This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **cs** Line that failed. +- **ec** Execution status. +- **hr** HResult returned. +- **msg** Message returned. +- **stack** Stack information. + + +### Microsoft.Windows.Deployment.Imaging.ImagingCompleted + +This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **appExecTimeInMs** Execution time in milliseconds. +- **buildInfo** Information of the build. +- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs. +- **executeUpdateTimeInMs** Update execution time in milliseconds. +- **fileStageTimeInMs** File staging time in milliseconds. +- **hr** HResult returned from imaging. +- **imgSizeInMB** Image size in MB. +- **mutexWaitTimeInMs** Mutex wait time in milliseconds. +- **prepareUpdateTimeInMs** Update preparation time in milliseconds. +- **totalRunTimeInMs** Total running time in milliseconds. +- **updateOsTimeInMs** Time in milliseconds spent in update OS. + + +### Microsoft.Windows.Deployment.Imaging.ImagingStarted + +This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **arch** Architecture of the image. +- **device** Device type for which the image is built. +- **imgFormat** Format of the image. +- **imgSkip** Parameter for skipping certain image types when building. +- **imgType** The type of image being built. +- **lang** Language of the image being built. +- **prod** Image product type. + + +## Diagnostic data events + +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. +- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown. +- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. +- **BatteryLevelAtLastShutdown** The last recorded battery level. +- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. +- **CrashDumpEnabled** Are crash dumps enabled? +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. +- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. +- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. +- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. +- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file. +- **LastBugCheckBootId** bootId of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastBugCheckProgress** Progress towards writing out the last crash dump. +- **LastBugCheckVersion** The version of the information struct written during the crash. +- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. +- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. +- **LongPowerButtonPressInstanceGuid** The Instance GUID for the user state of pressing and holding the power button. +- **OOBEInProgress** Identifies if OOBE is running. +- **OSSetupInProgress** Identifies if the operating system setup is running. +- **PowerButtonCumulativePressCount** How many times has the power button been pressed? +- **PowerButtonCumulativeReleaseCount** How many times has the power button been released? +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics. +- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed. +- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed. +- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released. +- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released. +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. +- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. +- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. +- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. +- **StaleBootStatData** Identifies if the data from bootstat is stale. +- **TransitionInfoBootId** BootId of the captured transition info. +- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode. +- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode. +- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp, +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoLidState** Describes the state of the laptop lid. +- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed. +- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode. +- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode. +- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. +- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. + + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformSiufEscalations** True if we can perform SIUF escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **CanReportUifEscalations** True if we can report UIF escalation, false otherwise. +- **CanUseAuthenticatedProxy** True if we can use authenticated proxy, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise. +- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.PrivacyGuardReport + +Reports that the Connected User Experiences and Telemetry service encountered an event that may contain privacy data. The event contains information needed to identify and study the source event that triggered the report. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **EventEpoch** The epoch in which the source event that triggered the report was fired. +- **EventName** The name of the source event that triggered the report. +- **EventSeq** The sequence number of the source event that triggered the report. +- **FieldName** The field of interest in the source event that triggered the report. +- **IsAllowedToSend** True if the field of interest was sent unmodified in the source event that triggered the report, false if the field of interest was anonymized. +- **IsDebug** True if the event was logged in a debug build of Windows. +- **TelemetryApi** The application programming interface used to log the source event that triggered the report. Current values for this field can be "etw" or "rpc". +- **TypeAsText** The type of issue detected in the source event that triggered the report. Current values for this field can be "UserName" or "DeviceName". + + +## DISM events + +### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU + +The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **dismInstalledLCUPackageName** The name of the latest installed package. + + +### Microsoft.Windows.StartRepairCore.DISMPendingInstall + +The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **dismPendingInstallPackageName** The name of the pending package. + + +### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions + +The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. + + +### Microsoft.Windows.StartRepairCore.DISMUninstallLCU + +The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. + + +### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd + +The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. +- **failedUninstallCount** The number of driver updates that failed to uninstall. +- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall. +- **foundDriverUpdateCount** The number of found driver updates. +- **srtRepairAction** The scenario name for a repair. +- **successfulUninstallCount** The number of successfully uninstalled driver updates. +- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates. + + +### Microsoft.Windows.StartRepairCore.SRTRepairActionStart + +The SRT Repair Action Start event sends information to report repair operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **srtRepairAction** The scenario name for a repair. + + +### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd + +The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. +- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates. +- **foundDriverUpdateCount** The number of found driver updates. +- **srtRootCauseDiag** The scenario name for a diagnosis event. + + +### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart + +The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **srtRootCauseDiag** The scenario name for a diagnosis event. + + +## Driver installation events + +### Microsoft.Windows.DriverInstall.DeviceInstall + +This critical event sends information about the driver installation that took place. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ClassGuid** The unique ID for the device class. +- **ClassLowerFilters** The list of lower filter class drivers. +- **ClassUpperFilters** The list of upper filter class drivers. +- **CoInstallers** The list of coinstallers. +- **ConfigFlags** The device configuration flags. +- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. +- **DeviceInstalled** Indicates whether the legacy install code path was used. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DeviceStack** The device stack of the driver being installed. +- **DriverDate** The date of the driver. +- **DriverDescription** A description of the driver function. +- **DriverInfName** Name of the INF file (the setup information file) for the driver. +- **DriverInfSectionName** Name of the DDInstall section within the driver INF file. +- **DriverPackageId** The ID of the driver package that is staged to the driver store. +- **DriverProvider** The driver manufacturer or provider. +- **DriverUpdated** Indicates whether the driver is replacing an old driver. +- **DriverVersion** The version of the driver file. +- **EndTime** The time the installation completed. +- **Error** Provides the WIN32 error code for the installation. +- **ExtensionDrivers** List of extension drivers that complement this installation. +- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action. +- **FinishInstallUI** Indicates whether the installation process shows the user interface. +- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **FlightIds** A list of the different Windows Insider builds on the device. +- **GenericDriver** Indicates whether the driver is a generic driver. +- **Inbox** Indicates whether the driver package is included with Windows. +- **InstallDate** The date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **LastInstallFunction** The last install function invoked in a co-installer if the install timeout was reached while a co-installer was executing. +- **LegacyInstallReasonError** The error code for the legacy installation. +- **LowerFilters** The list of lower filter drivers. +- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **OriginalDriverInfName** The original name of the INF file before it was renamed. +- **ParentDeviceInstanceId** The device instance ID of the parent of the device. +- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted. +- **Problem** Error code returned by the device after installation. +- **ProblemStatus** The status of the device after the driver installation. +- **RebootRequiredReason** DWORD (Double Word—32-bit unsigned integer) containing the reason why the device required a reboot during install. +- **SecondaryDevice** Indicates whether the device is a secondary device. +- **ServiceName** The service name of the driver. +- **SessionGuid** GUID (Globally Unique IDentifier) for the update session. +- **SetupMode** Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed. +- **StartTime** The time when the installation started. +- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. +- **UpperFilters** The list of upper filter drivers. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd + +This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DriverUpdated** Indicates whether the driver was updated. +- **Error** The Win32 error code of the installation. +- **FlightId** The ID of the Windows Insider build the device received. +- **InstallDate** The date the driver was installed. +- **InstallFlags** The driver installation flags. +- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **RebootRequired** Indicates whether a reboot is required after the installation. +- **RollbackPossible** Indicates whether this driver can be rolled back. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart + +This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **FirstInstallDate** The first time a driver was installed on this device. +- **InstallFlags** Flag indicating how driver setup was called. +- **LastDriverDate** Date of the driver that is being replaced. +- **LastDriverInbox** Indicates whether the previous driver was included with Windows. +- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash. +- **LastDriverVersion** The version of the driver that is being replaced. +- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). +- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). +- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). +- **LastInstallDate** The date a driver was last installed on this device. +- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous problem code that was set on the device. +- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DDIInterfaceVersion** The device driver interface version. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **Display1UMDFilePath** The file path to the location of the Display User Mode Driver in the Driver Store. +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DriverWorkarounds** Numeric value indicating the driver workarounds that are enabled for this device. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **HwFlipQueueSupportState** Numeric value indicating the adapter's support for hardware flip queues. +- **HwSchSupportState** Numeric value indicating the adapter's support for hardware scheduling. +- **IddPairedRenderAdapterLuid** Identifier for the render adapter paired with this display adapter. +- **InterfaceFuncPointersProvided1** Number of device driver interface function pointers provided. +- **InterfaceFuncPointersProvided2** Number of device driver interface function pointers provided. +- **InterfaceFuncPointersProvided3** Number of device driver interface function pointers provided. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwFlipQueueEnabled** Boolean value indicating whether hardware flip queues are enabled. +- **IsHwSchEnabled** Boolean value indicating whether hardware scheduling is enabled. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **IsVirtualRefreshRateSupported** Boolean value indicating whether the adapter supports virtual refresh rates. +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumNonVidPnTargets** Number of display targets. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature quality events + +### Microsoft.Windows.FeatureQuality.Heartbeat + +This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **Features** Array of features. + + +### Microsoft.Windows.FeatureQuality.StateChange + +This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **state** New state. + + +### Microsoft.Windows.FeatureQuality.Status + +This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **featureId** Feature id. +- **flightId** Flight id. +- **time** Time of status change. +- **variantId** Variant id. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed + +This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **failureReason** Provides data about the uninstall initialization operation failure. +- **hr** Provides the Win32 error code for the operation failure. + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Holographic events + +### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded + +This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **ClassGuid** Windows Mixed Reality device class GUID. +- **DeviceInterfaceId** Windows Mixed Reality device interface ID. +- **DriverVersion** Windows Mixed Reality device driver version. +- **FirmwareVersion** Windows Mixed Reality firmware version. +- **Manufacturer** Windows Mixed Reality device manufacturer. +- **ModelName** Windows Mixed Reality device model name. +- **SerialNumber** Windows Mixed Reality device serial number. + + +### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceRemoved + +This event indicates Windows Mixed Reality device state. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly. + +The following fields are available: + +- **DeviceInterfaceId** Device Interface ID. + + +### Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated + +This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HmdState** Windows Mixed Reality Headset HMD state. +- **NewHoloShellState** Windows Mixed Reality HoloShell state. +- **PriorHoloShellState** Windows Mixed Reality state prior to entering to HoloShell. +- **SimulationEnabled** Windows Mixed Reality Simulation state. + + +### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated + +This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode. +- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. +- **PackageVersion** Windows Mixed Reality Portal app package version. +- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming + +This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + + + +### Microsoft.Windows.Shell.HolographicFirstRun.SomethingWentWrong + +This event is emitted when something went wrong error occurs. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly. + +The following fields are available: + +- **ErrorSource** Source of error, obsoleted always 0. +- **StartupContext** Start up state. +- **StatusCode** Error status code. +- **SubstatusCode** Error sub status code. + + +### TraceLoggingHoloLensSensorsProvider.OnDeviceAdd + +This event provides Windows Mixed Reality device state with new process that hosts the driver. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly. + +The following fields are available: + +- **Process** Process ID. +- **Thread** Thread ID. + + +### TraceLoggingOasisUsbHostApiProvider.DeviceInformation + +This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version. +- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version. +- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number. +- **BTHFWMajorVer** Windows Mixed Reality device BTHFW major version. This event also used to count WMR device. +- **BTHFWMinorVer** Windows Mixed Reality device BTHFW minor version. This event also used to count WMR device. +- **BTHFWRevisionNumber** Windows Mixed Reality device BTHFW revision number. +- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size. +- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version. +- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version. +- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number. +- **DeviceInfoFlags** Windows Mixed Reality device info flags. +- **DeviceName** Windows Mixed Reality device Name. This event is also used to count WMR device. +- **DeviceReleaseNumber** Windows Mixed Reality device release number. +- **FirmwareMajorVer** Windows Mixed Reality device firmware major version. +- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version. +- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number. +- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version. +- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version. +- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number. +- **FriendlyName** Windows Mixed Reality device friendly name. +- **HashedSerialNumber** Windows Mixed Reality device hashed serial number. +- **HeaderSize** Windows Mixed Reality device header size. +- **HeaderVersion** Windows Mixed Reality device header version. +- **LicenseKey** Windows Mixed Reality device header license key. +- **Make** Windows Mixed Reality device make. +- **ManufacturingDate** Windows Mixed Reality device manufacturing date. +- **Model** Windows Mixed Reality device model. +- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page. +- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage. +- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId. +- **ProductBoardRevision** Windows Mixed Reality device product board revision number. +- **SerialNumber** Windows Mixed Reality device serial number. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd + +This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AmHealthy** Indicates if the is device healthy. 0 - Errors found. 1 - No errors. 2 - Unknown. 3 - Advisory. +- **DevicePathSubtype** The device path subtype associated with the record producer. +- **DevicePathType** The device path type associated with the record producer. +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordStartSync + +This event indicates a new set of InventoryAcpiPhatHealthRecord events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementAdd + +This event sends basic metadata for ACPI PHAT Version Element structure. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **ProducerId** The ACPI vendor ID. +- **VersionValue** The 64 bit component version value. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementStartSync + +This event indicates that a new set of InventoryAcpiPhatVersionElement events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **LattePackageId** The ID of the Latte package. +- **MsiInstallDate** The install date recorded in the program's MSI package. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class GUID from the driver package +- **COMPID** The device setup class guid of the driver loaded for the device. +- **ContainerId** The list of compat ids for the device. +- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** The device description. +- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present +- **DriverName** A unique identifier for the driver installed. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage +- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). +- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **Enumerator** The date of the driver loaded for the device. +- **ExtendedInfs** The extended INF file names. +- **FirstInstallDate** The first time this device was installed on the machine. +- **HWID** The version of the driver loaded for the device. +- **Inf** The bus that enumerated the device. +- **InstallDate** The date of the most recent installation of the device on the machine. +- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). +- **InventoryVersion** List of hardware ids for the device. +- **LowerClassFilters** Lower filter class drivers IDs installed for the device +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd + +This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **Manufacturer** Sensor manufacturer. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorRemove + +This event is used to indicate a sensor has been removed from a machine. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync + +This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **FlightIds** Driver Flight IDs. +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **RecoveryIds** Driver recovery IDs. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig + +This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ClassGuid** The unique ID for the device class. +- **DeviceInstanceId** The unique ID for the device on the system. +- **DriverDate** The date of the driver. +- **DriverFlightIds** The IDs for the driver flights. +- **DriverInfName** Driver INF file name. +- **DriverProvider** The driver manufacturer or provider. +- **DriverSubmissionId** The driver submission ID assigned by the hardware developer center. +- **DriverVersion** The driver version number. +- **ExtensionDrivers** The list of extension driver INF files, extension IDs, and associated flight IDs. +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **InboxDriver** Indicates whether the driver package is included with Windows. +- **InstallDate** Date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **Legacy** Indicates whether the driver is a legacy driver. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **RebootRequiredReason** Provides the reason why a reboot is required. +- **SetupMode** Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE). +- **StatusCode** The NTSTATUS of device configuration operation. + + +### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem + +This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device on the system. +- **LastProblem** The previous problem that was cleared. +- **LastProblemStatus** The previous NTSTATUS value that was cleared. +- **ServiceName** The name of the driver or service attached to the device. + + +### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem + +This event is sent when a new problem code is assigned to a device. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous NTSTATUS value that was set on the device. +- **Problem** The new problem code that was set on the device. +- **ProblemStatus** The new NTSTATUS value that was set on the device. +- **ServiceName** The driver or service name that is attached to the device. + + +### Microsoft.Windows.Kernel.Power.ExecutePowerAction + +This event supplies power state transition parameters. This information is used to monitor state transition requests and catch exceptions. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **Disabled** Supplies whether the LocalAction or alternative action can be performed. +- **LightestState** The lightest state to transmit to. +- **LocalAction** The updated POWER_ACTION to perform. +- **LocalActionEventCode** The updated bitmask of level of user notifications. +- **LocalActionFlags** The updated bitmask of POWER_ACTION_*. +- **PowerAction** The original POWER_ACTION that the requester intents to perform. +- **PowerActionEventCode** The original bitmask of level of user notifcations, supplied by the requester. +- **PowerActionFlags** The original bitmask of level of user notifcations, supplied by requester. +- **RequesterName** Name of the process raises the request. +- **RequesterNameLength** Length of RequesterName. +- **SubstitutionPolicy** The policy to pick substituted states. +- **TriggerFlags** Bitmask of PO_TRG_*. +- **TriggerType** Type of the trigger from POWER_POLICY_DEVICE_TYPE. +- **UserNotify** Bitmask of PO_NOTIFY_EVENT_*. + + +### Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown + +This event sends Product and Service Performance data on which area of the device exceeded safe temperature limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are expected to. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **temperature** Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that exceeded the limit. +- **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits. + + +## Manufacturing events + +### ManufacturingPlatformTel.ManufacturingPlatformActivityEvent + +These is the Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **BootOptionDescription** This field describes the boot option that is retrieved using EFI protocols from the DUT side. +- **BootOptionDevicePath** The device path for the boot option. +- **ChunkSizeInBytes** Indicates the chunk size, in bytes, of an FFU image. +- **CurrentDUTTime** Indicates the time on the DUT (or target device), using EFI protocols, when the event was logged. +- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved via SMBIOS on the DUT (target device). +- **DUTActivityGuid** The activity guid, from TraceLoggingActivity, that is associated with that operation on the DUT (target device). +- **DUTDeviceUniqueId** A GUID that uniquely identifies a target device. +- **DUTSessionGuid** A GUID that uniquely identifies a section on the DUT (target device). +- **EventName** Indicates the specific event from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus". +- **FFUFilePath** Describes to the name of the FFU file that we are flashing. +- **FFUHeaderSize** Refers to the size of the header in an FFU image. +- **FFUPayloadSize** Refers to the payload size of an FFU image. +- **FieldName** Provides a description of the value field. If relevant, it also includes the unit. Example: "ErrorMessage" or "TimeInSec". +- **HeaderFileOffset** Indicates the header file offset in an FFU image. +- **HostStartTime** Refers to the UTC system time on the host that is recorded when the host starts a telemetry logging session on the DUT (target device). +- **Identifier** Identifies the phase in ManufacturingPlatform we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. +- **ImageDeviceTargetInfo** Describes the device target information that has been included in the FFU image. These values can be found in the image header. +- **ImageHeaderData** Describes critical data in the image header of an FFU image. +- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for. +- **PayloadFileOffset** Indicates the header file offset in an FFU image. +- **SectorSize** Indicates the sector size of the FFU image. +- **StoreHeaderData** Describes critical data of important fields found in the store header of an FFU image. +- **UFPImplementationVersionMajor** Implementation major version for the UFP binaries on the DUT (target device) side. +- **UFPImplementationVersionMinor** Implementation minor version for the UFP binaries on the DUT (target device) side. +- **UFPProtocolVersionMajor** Protocol major version for the UFP binaries on the DUT (target device) side. +- **UFPProtocolVersionMinor** Protocol minor version for the UFP binaries on the DUT (target device) side. +- **ValueStr** The value to be logged. Described by field name and relevant to the event name. +- **ValueUInt64** The value to be logged. Described by field name and relevant to the event name. +- **ValueWideStr** The value to log. Described by field name and relevant to the event name. + + +### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStart + +This is the Event Start Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device). +- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. + + +### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStop + +This is the Event Stop Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceTargetInfo** Describes general manufacturing and product information about the device, retrieved using SMBIOS on the DUT (target device). +- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. + + +### ManufacturingPlatformTel.ManufacturingPlatformEvent + +This is the manufacturing event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CurrentDUTTime** Indicates the time on the DUT (or target device) using EFI protocols when the event was logged. +- **DeviceFriendlyName** Friendly name of the device as retrieved from SMBIOS on the DUT (target device). +- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device). +- **DUTActivityGuid** The activity GUID that comes from TraceLoggingActivity associated with that operation on the DUT (target device). +- **DUTDeviceUniqueId** A GUID to uniquely describes a target device. +- **DUTSessionGuid** The session GUID given to the DUT (target device) when the host triggers an operation in the DUT. +- **EventName** Refers to the specific event occurring from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus" +- **FieldName** Describes the value field. If relevant it also includes the unit. Example: "ErrorMessage" or "TimeInSec" +- **HostStartTime** Indicates the UTC system time on the host, recorded when the host starts a telemetry logging session on the DUT (target device) +- **Identifier** Indicates the phase the ManufacturingPlatform is in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. +- **MajorVersionUInt64** Refers to the major version of the host UFP binaries. +- **MinorVersionUInt64** Refers to the minor version of the host UFP binaries. +- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for. +- **ValueStr** The value to log. Described by field name and relevant to the event name. +- **ValueUInt64** The value to log. Described by field name and relevant to the event name. +- **ValueWideStr** The value to log. Described by field name and relevant to the event name. + + +## Microsoft Edge events + +### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. +- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. +- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. +- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. +- **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. +- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. + + +### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. +- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. +- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. +- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. +- **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. +- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. + + +### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. +- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. +- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. +- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. +- **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. +- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. + + +### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. +- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. +- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. +- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. +- **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. +- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. +- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. + + +### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping + +This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date. + +The following fields are available: + +- **appAp** Any additional parameters for the specified application. Default: ''. +- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined. +- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''. +- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev). +- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. +- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. +- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'. +- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. +- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. +- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. +- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. +- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. +- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. +- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'. +- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'. +- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information. +- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. +- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. +- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. +- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. +- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **eventType** A string indicating the type of the event. Please see the wiki for additional information. +- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. +- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. +- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''. +- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. +- **osVersion** The primary version of the operating system. '' if unknown. Default: ''. +- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'. +- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''. +- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'. +- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''. +- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'. +- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''. +- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'. +- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined. +- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''. +- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''. +- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''. +- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''. +- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''. + + +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios. + +The following fields are available: + +- **currentSid** Indicates the user SID for which the migration is being performed. +- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content) +- **objectCount** The count for the number of objects that are being transferred. +- **sfInfo.Name** This event identifies the phase of the upgrade where migration happens. + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios. + +The following fields are available: + +- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. +- **objectCount** The count of the number of objects that are being transferred. +- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios. + +The following fields are available: + +- **currentSid** Indicates the user SID for which the migration is being performed. +- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.) +- **objectCount** The number of objects that are being transferred. +- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads. + + +## OneSettings events + +### Microsoft.Windows.OneSettingsClient.Heartbeat + +This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **Configs** Array of configs. + + +### Microsoft.Windows.OneSettingsClient.StateChange + +This event indicates the change in config state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **state** New state. + + +### Microsoft.Windows.OneSettingsClient.Status + +This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **time** Time. + + +## OOBE events + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateExpeditionChoiceCommitted + +This event requests a commit work for expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **oobeExpeditedUpdateCommitOption** Type of commit work for expedited update. +- **resultCode** HR result of operation. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdatePageSkipped + +This event provides information about skipping expedited update page. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **reason** Reason for skip. +- **skippedReasonFlag** Flag representing reason for skip. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStartUSOScan + +This event indicates USO Scan API call. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **oobeExpeditedUpdateCommitOption** Expedited update commit work type. +- **resultCode** HR result of operation. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStatusResult + +This event provides status of expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **oobeExpeditedUpdateStatus** Expedited update status. +- **reason** Reason for the status. +- **resultCode** HR result of operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Servicing API events + +### Microsoft.Windows.ServicingUAPI.ModifyFeaturesEnd + +This event sends Software Setup and Inventory data regarding the end of an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **Actions** A numeric flag that indicates whether the operations are Inbox. +- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes. +- **Duration** Duration of operation in milliseconds. +- **Flags** A numeric flag indicating the type of operation being requested. +- **NetRequiredBytes** Net space required after operation completes or after reboot if operation requires one. +- **RebootRequired** A true or false value indicating if a reboot is required to complete the operation. +- **RequiredDownloadBytes** Space required to acquire content (compressed). +- **Result** HResult at operation end. +- **TotalMaxRequiredBytes** Total maximum space required during operation. + + +### Microsoft.Windows.ServicingUAPI.ModifyFeaturesResult + +This event sends Software Setup and Inventory data regarding a result that occurred during an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes. +- **FeatureIntentFlags** A numeric flag indicating the reason that the feature is being modified. +- **FeatureName** Feature name which includes language-specific version if in the Language namespace. +- **FeatureNewIntentFlags** A numeric flag indicating the new reason that the feature is absent or installed. +- **FeatureNewStateFlags** A numeric flag indicating the new state of the feature. +- **FeatureStateFlags** A numeric flag indicating the current state of the feature. +- **Result** HResult from operation to modify a feature. + + +## Setup events + +### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart + +This event emits the start of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Action** It indicates phase/stage of operation. +- **Detail** It indicates details about the phase/stage of the operation. +- **Rollback** It is blank as this event triggers in success scenario only. +- **Status** It indicates details about the status for getting the disk device object during boot. + + +### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStop + +This event emits the stop of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Action** It indicates phase/stage of operation. +- **Detail** It indicates details about the phase/stage of the operation. +- **Rollback** It is blank as this event triggers in success scenario only. +- **Status** It indicates details about the status for getting the disk device object during boot. + + +### Microsoft.Windows.Setup.WinSetupBoot.Success + +This event sends data indicating that the device has invoked the WinSetupBoot successfully. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **Action** It indicates phase/stage of operation. As success event fires on exiting the operation, this value must be 'Exiting'. +- **Duration(ms)** Duration of filter setup instance operation in milliseconds. +- **Rollback** It is blank as this event triggers in success scenario only. + + +### Microsoft.Windows.Setup.WinSetupBoot.Warning + +This event is used to indicate whether there were any warnings when we were trying to skip a reboot during feature upgrade. The data collected with this event helps keep Windows product and service up to date​. + +The following fields are available: + +- **Action** Action indicates what operation was being performed by the filter driver (Ex: Waiting, Exiting). +- **Detail** Add detail to the operation listed above (Ex: Blocked thread timed out). +- **Rollback** Indicates whether a rollback was triggered (0 or 1). +- **Status** Indicates the status code for the operation (Ex: 0, 258 etc.). + + +### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation + +This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **Path** Path to the file or the directory which is being moved or deleted. +- **Process** Path to the process which is requesting the move or the deletion. +- **TargetPath** (Optional) If the operation is a move, the target path to which the file or directory is being moved. + + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## SIH events + +### SIHEngineTelemetry.EvalApplicability + +This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. +- **IsExecutingAction** If the action is presently being executed. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** The client version that is being used. +- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version that is currently installed. +- **WuaucltVersion** The Windows Update client version that is currently installed. +- **WuauengVersion** The Windows Update engine version that is currently installed. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + +### SIHEngineTelemetry.ExecuteAction + +This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **RebootRequired** Indicates if a reboot was required to complete the action. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** The SIH version. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version. +- **WuaucltVersion** The Windows Update version identifier for SIH. +- **WuauengVersion** The Windows Update engine version identifier. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +This is a scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TargetReleaseVersion** The value selected for the target release version policy. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClassificationId** Classification identifier of the update content. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content + + +### SoftwareUpdateClientTelemetry.Download + +This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. +- **AppXScope** Indicates the scope of the app download. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RevisionNumber** The revision number of the specified piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **TotalExpectedBytes** The total count of bytes that the download is expected to be. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedDO** Whether the download used the delivery optimization service. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected. Example: Windows Update or Microsoft Store +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. + + +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%) +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially +- **CTTStartDateInSeconds** Indicates the start date of when device starting being used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False) +- **SeqNum** Represents the sequence number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** The schema version used. +- **VoltageOptimization** Current CTT reduction in mV + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.Health.Binary.Prod.McuHealthLog + +This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. + +The following fields are available: + +- **CUtility::GetTargetNameA(Target)** Sub component name. +- **HealthLog** Health indicator log. +- **healthLogSize** 4KB. +- **productId** Identifier for product model. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. + + +## UEFI events + +### Microsoft.Windows.UEFI.ESRT + +This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. +- **DriverFirmwareIntegrityFilename** Filename of the integrity package that is supplied in the firmware package. +- **DriverFirmwarePolicy** The optional version update policy value. +- **DriverFirmwareStatus** The firmware status reported by the device hardware key. +- **DriverFirmwareVersion** The firmware version reported by the device hardware key. +- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. +- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). +- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). +- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. +- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). +- **InitiateUpdate** Indicates whether the system is ready to initiate an update. +- **LastAttemptDate** The date of the most recent attempted firmware installation. +- **LastAttemptStatus** The result of the most recent attempted firmware installation. +- **LastAttemptVersion** The version of the most recent attempted firmware installation. +- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. +- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. +- **RetryCount** The number of attempted installations (retries), reported by the driver software key. +- **Status** The status returned to the PnP (Plug-and-Play) manager. +- **UpdateAttempted** Indicates if installation of the current update has been attempted before. + + +## Update Assistant events + +### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed + +This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (i.e. reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **activeProcesses** Number of active processes. +- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded. +- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter. +- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. +- **countDownloadedPayload** Count instances of payload downloaded. +- **description** Description of failure. +- **devicePreference** Recommended Troubleshooting Setting on the device. +- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe. +- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab. +- **executionHR** HR code of the execution of the mitigation. +- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, eg when executing Critical troubleshooters, the executionPreference is set to the Silent option. +- **exitCode** Exit code of the execution of the mitigation. +- **experimentFeatureId** Experiment feature ID. +- **experimentFeatureState** Config state of the experiment. +- **hr** HRESULT for error code. +- **isActiveSessionPresent** If an active user session is present on the device. +- **isCriticalMitigationAvailable** If a critical mitigation is available to this device. +- **isFilteringSuccessful** If the filtering operation was successful. +- **isReApply** reApply status for the mitigation. +- **mitigationId** ID value of the mitigation. +- **mitigationProcessCycleTime** Process cycle time used by the mitigation. +- **mitigationRequestWithCompressionFailed** Boolean flag indicating if HTTP request with compression failed for this device. +- **mitigationServiceResultFetched** Boolean flag indicating if mitigation details were fetched from the admin service. +- **mitigationVersion** String indicating version of the mitigation. +- **oneSettingsMetadataParsed** If OneSettings metadata was parsed successfully. +- **oneSettingsSchemaVersion** Schema version used by the OneSettings parser. +- **onlyNoOptMitigationsPresent** Checks if all mitigations were no opt. +- **parsedOneSettingsFile** Indicates if OneSettings parsing was successful. +- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter. +- **SessionId** Random GUID used for grouping events in a session. +- **subType** Error type. +- **totalKernelTime** Total kernel time used by the mitigation. +- **totalNumberOfApplicableMitigations** Total number of applicable mitigations. +- **totalProcesses** Total number of processes assigned to the job object. +- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object. +- **totalUserTime** Total user mode time used by the job object. + + +### Microsoft.Windows.RecommendedTroubleshootingService.MitigationSucceeded + +This event is raised after an executable delivered by Mitigation Service has successfully run. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **activeProcesses** Number of active processes. +- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter. +- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. +- **devicePreference** Recommended troubleshooting setting on the device. +- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe. +- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab. +- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option. +- **exitCode** Exit code of the execution of the mitigation. +- **exitCodeDefinition** String describing the meaning of the exit code returned by the mitigation (i.e. ProblemNotFound). +- **experimentFeatureId** Experiment feature ID. +- **experimentFeatureState** Feature state for the experiment. +- **mitigationId** ID value of the mitigation. +- **mitigationProcessCycleTime** Process cycle time used by the mitigation. +- **mitigationVersion** String indicating version of the mitigation. +- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter. +- **SessionId** Random GUID used for grouping events in a session. +- **totalKernelTime** Total kernel time used by the mitigation. +- **totalProcesses** Total number of processes assigned to the job object. +- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object. +- **totalUserTime** Total user mode time used by the job object. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded + +This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. +- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin + +This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user. +- **PackageVersion** The package version of the label. + + + +## Update events + +### Update360Telemetry.DriverUpdateSummaryReport + +This event collects information regarding the state of devices and drivers on the system, following a reboot, after the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **AnalysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during the analysis. +- **AppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **DevicePopulateErrorCount** The number of errors that occurred during the population of the list of all devices on the system, includes information such as, hardware ID, compatible ID. +- **ErrorCode** The error code returned. +- **FlightId** The flight ID for the driver manifest update. +- **ObjectId** The unique value for each diagnostics session. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Indicates the result of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** The unique value for each update session. +- **Summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **TruncatedDeviceCount** The number of devices missing from the summary string due to there not being enough room in the string. +- **TruncatedDriverCount** The number of devices missing from the summary string due to there not being enough room in the string. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean that indicates whether cancel was requested. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean indicating whether a cancel was requested. +- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. +- **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. +- **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. +- **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. +- **DownloadedSizePSFX** Cumulative size (in bytes) of downloaded PSFX content. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean that indicates whether a cancel was requested. +- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE). +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean to indicate whether a cancel was requested. +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **RollbackFailureReason** Indicates the cause of the rollback. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **UpdateOutputState** A numeric value indicating the state of the update at the time of reboot. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE. +- **ObjectId** The unique value for each Update Agent mode. +- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10, Windows 11 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator's last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.StackDataResetPerformAction + +This event removes the datastore and allows corrupt devices to reattempt the update. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DatastoreSizeInMB** Size of Datastore.edb file. Default: -1 if not set/unknown. +- **FreeSpaceInGB** Free space on the device before deleting the datastore. Default: -1 if not set/unknown. +- **HrLastFailure** Error code from the failed removal. +- **HrResetDatastore** Result of the attempted removal. +- **HrStopGroupOfServices** Result of stopping the services. +- **MaskServicesStopped** Bit field to indicate which services were stopped succesfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3). +- **NumberServicesToStop** The number of services that require manual stopping. + + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Hardware Error Architecture events + +### WheaProvider.WheaDriverErrorExternal + +This event is sent when a common platform hardware error is recorded by an external WHEA error source driver. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **creatorId** A GUID that identifies the entity that created the error record. +- **errorFlags** Flags set on the error record. +- **notifyType** A GUID that identifies the notification mechanism by which an error condition is reported to the operating system. +- **partitionId** A GUID that identifies the partition on which the hardware error occurred. +- **platformId** A GUID that identifies the platform on which the hardware error occurred. +- **record** A binary blob containing the full error record. Due to the nature of common platform error records we have no way of fully parsing this blob for any given record. +- **recordId** The identifier of the error record. This identifier is unique only on the system that created the error record. +- **sectionFlags** The flags for each section recorded in the error record. +- **sectionTypes** A GUID that represents the type of sections contained in the error record. +- **severityCount** The severity of each individual section. +- **timeStamp** Error time stamp as recorded in the error record. + + +### WheaProvider.WheaDriverExternalLogginLimitReached + +This event indicates that WHEA has reached the logging limit for critical events from external drivers. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **timeStamp** Time at which the logging limit was reached. + + +### WheaProvider.WheaErrorRecord + +This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **creatorId** The unique identifier for the entity that created the error record. +- **errorFlags** Any flags set on the error record. +- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system. +- **partitionId** The unique identifier for the partition on which the hardware error occurred. +- **platformId** The unique identifier for the platform on which the hardware error occurred. +- **record** A collection of binary data containing the full error record. +- **recordId** The identifier of the error record. +- **sectionFlags** The flags for each section recorded in the error record. +- **sectionTypes** The unique identifier that represents the type of sections contained in the error record. +- **severityCount** The severity of each individual section. +- **timeStamp** The error time stamp as recorded in the error record. + + +## Windows Update CSP events + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed + +This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **hResult** Failure error code. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** This is the device info. +- **wUfBConnected** Result of WUfB connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable + +This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** Represents the device info. +- **wUfBConnected** Result of WUfB connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted + +This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date. + + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed + +This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **hResult** Failure Error code. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** Release Channel. +- **wUfBConnected** Result of Windows Update for Business connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable + +This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** Device in the semi-annual channel. +- **wUfBConnected** Result of WUfB connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted + +This event indicates that the Quality Rollback process has started. The data collected with this event is used to help keep Windows secure and up to date. + + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLedbat** The number of bytes received from a source using an Ledbat enabled connection. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds. +- **totalTimeMs** The duration of the download, in milliseconds. +- **updateID** The ID of the update being downloaded. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **groupID** A GUID representing a custom group of devices. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isThrottled** Event Rate throttled (event represents aggregated data). +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **sessionTimeMs** The duration of the session, in milliseconds. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds. +- **totalTimeMs** The duration of the download, in milliseconds. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data). +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +## Windows Update events + +### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted + +This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. + +The following fields are available: + +- **CorrelationVectors** The correlation vectors associated with migration. +- **MigrationDurationInMilliseconds** How long the DMF migration took (in milliseconds) +- **MigrationEndTime** A system timestamp of when the DMF migration completed. +- **WuClientId** The GUID of the Windows Update client responsible for triggering the DMF migration + + +### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted + +This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. + +The following fields are available: + +- **CorrelationVectors** CVs associated with each phase. +- **MigrationMicrosoftPhases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade +- **MigrationOEMPhases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade +- **MigrationStartTime** The timestamp representing the beginning of the DMF migration +- **WuClientId** The GUID of the Windows Update client invoking DMF + + +### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult + +This event sends DMF migrator data to help keep Windows up to date. + +The following fields are available: + +- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure. +- **ErrorCode** The result (as an HRESULT) of the migrator that just completed. +- **MigratorId** A GUID identifying the migrator that just completed. +- **MigratorName** The name of the migrator that just completed. +- **RunDurationInSeconds** The time it took for the migrator to complete. +- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight. +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The unique identifier for the update scenario. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **flightId** The unique identifier for each flight. +- **mode** The mode that is starting. +- **objectId** The unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique identifier for each update. + + +### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallResult + +This event returns the result after installing a business critical store application. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **AppInstallState** The application installation state. +- **HRESULT** The result code (HResult) of the install. +- **PFN** The package family name of the package being installed. + + +### Microsoft.Windows.Update.Orchestrator.Client.EdgeUpdateResult + +The event returns data on the result of invoking the edge updater. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ExitCode** The exit code that was returned. +- **HRESULT** The result code (HResult) of the operation. +- **VelocityEnabled** A flag that indicates if velocity is enabled. +- **WorkCompleted** A flag that indicates if work is completed. + + +### Microsoft.Windows.Update.Orchestrator.Client.MACUpdateInstallResult + +This event reports the installation result details of the MACUpdate expedited application. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Completed** Indicates whether the installation is complete. +- **InstallFailureReason** Indicates the reason an install failed. +- **IsRetriableError** Indications whether the error is retriable. +- **OperationStatus** Returns the operation status result reported by the installation attempt. +- **Succeeded** Indicates whether the installation succeeded. +- **VelocityEnabled** Indicates whether the velocity tag for MACUpdate is enabled. + + +### Microsoft.Windows.Update.Orchestrator.UX.InitiatingReboot + +This event indicates that a restart was initiated in to enable the update process. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **correlationVector.c_str()** Represents the correlation vector. +- **isInteractive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action or not. +- **isOnAC** Indicates whether the device was on AC power when the restart was initiated. +- **isRebootOutsideOfActiveHours** is reboot outside active hours. +- **isRebootScheduledByUser** is reboot scheduled by user. +- **reduceDisruptionFlagSet** Indicates whether the disruptless overnight reboot behavior is enabled. +- **updateIdList** list of Update ID. +- **wokeToRestart** whether the device woke to perform the restart. + + +### Microsoft.Windows.Update.Orchestrator.UX.RebootFailed + +This event indicates that the reboot failed and the update process failed to determine next steps. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Battery level percentage. +- **correlationVector.c_str()** correlation vector. +- **error** error for reboot failed. +- **isRebootOutsideOfActiveHours** Indicates the timing that the failed reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateIdList** List of update ids. + + +### Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved + +This event signifies an update being approved around the OOBE time period. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **approved** Flag to determine if it is approved or not. +- **provider** The provider related to which the update is approved. +- **publisherIntent** The publisher intent of the Update. +- **update** Additional information about the Update. + + +### Microsoft.Windows.Update.Orchestrator.Worker.UpdateActionCritical + +This event informs the update related action being performed around the OOBE timeframe. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **action** The type of action being performed (Install or download etc.). +- **connectivity** Informs if the device is connected to network while this action is performed. +- **freeDiskSpaceInMB** Amount of free disk space. +- **interactive** Informs if this action is caused due to user interaction. +- **priority** The CPU and IO priority this action is being performed on. +- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.). +- **update** Update related metadata including UpdateId. +- **uptimeMinutes** Duration USO for up for in the current boot session. +- **wilActivity** Wil Activity related information. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesCanceled + +This event checks for updates canceled on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. +- **EventInstanceID** A globally unique identifier for event instance. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. +- **NumberOfLoop** Number of roundtrips the scan required. +- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. +- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. +- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ScanDurationInSeconds** Number of seconds the scan took to complete. +- **ScanEnqueueTime** Number of seconds it took to initialize the scan. +- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceUrl** Environment URL for which a device is configured to scan. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). +- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded. +- **WUDeviceID** The detected version of the self healing engine that is currently downloading or downloaded. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesFailed + +This event checks for failed updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CapabilityDetectoidGuid** GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the CDN's location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverError** The error code hit during a driver scan, or 0 if no error was hit. +- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. +- **EventInstanceID** A globally unique identifier for event instance. +- **ExtendedMetadataCabUrl** URL for the extended metadata cab. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FailedUpdateGuids** GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** Number of updates that failed to be evaluated during the scan. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **MSIError** The last error encountered during a scan for updates. +- **NetworkConnectivityDetected** 0 when IPv4 is detected, 1 when IPv6 is detected. +- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. +- **NumberOfLoop** Number of roundtrips the scan required. +- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. +- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. +- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ScanDurationInSeconds** Number of seconds the scan took to complete. +- **ScanEnqueueTime** Number of seconds it took to initialize the scan. +- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceUrl** Environment URL for which a device is configured to scan. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult.). +- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). +- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesRetry + +This event checks for update retries on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverSyncPassPerformed** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **ExtendedStatusCode** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. +- **FeatureUpdatePause** Failed Parse actions. +- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. +- **NumberOfLoop** Number of roundtrips the scan required. +- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. +- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. +- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ScanDurationInSeconds** Number of seconds the scan took to complete. +- **ScanEnqueueTime** Number of seconds it took to initialize the scan. +- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceUrl** Environment URL for which a device is configured to scan. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). +- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesScanInitFailed + +This event checks for failed update initializations on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesServiceRegistrationFailed + +This event checks for updates for failed service registrations the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **Context** Context of failure. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesStarted + +This event checks for updates started on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **EventInstanceID** A globally unique identifier for event instance. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Flag indicated is WU-for-Business FederatedScan is disabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CheckForUpdatesSucceeded + +This event checks for successful updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **BranchReadinessLevel** Servicing branch train configured on the device (CB, CBB, none). +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** UpdateIds which are currently being deferred until a later time. +- **DriverExclusionPolicy** Indicates if policy for not including drivers with WU updates is enabled. +- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. +- **EventInstanceID** A globally unique identifier for event instance. +- **ExcludedUpdateClasses** Update classifications being excluded via policy. +- **ExcludedUpdates** UpdateIds which are currently being excluded via policy. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdateDeferral** Deferral period configured for feature OS updates on the device, in days. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** Pause duration configured for feature OS updates on the device, in days. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete. +- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. +- **NumberOfLoop** Number of roundtrips the scan required. +- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. +- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. +- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** UpdateIds which are currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, datetime for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, datetime for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, datetime for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, datetime for the beginning of the pause time window. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdateDeferral** Deferral period configured for quality OS updates on the device, in days. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** Pause duration configured for quality OS updates on the device, in days. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ScanDurationInSeconds** Number of seconds the scan took to complete. +- **ScanEnqueueTime** Number of seconds it took to initialize the scan. +- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceUrl** Environment URL for which a device is configured to scan. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). +- **TargetReleaseVersion** For drivers targeted to a specific device model, this is the version release of the drivers being distributed to the device. +- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete the operation. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.CommitFailed + +This event checks for failed commits on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. +- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver". +- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content. + + +### Microsoft.Windows.Update.WUClient.CommitStarted + +This event tracks the commit started event on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content. + + +### Microsoft.Windows.Update.WUClient.CommitSucceeded + +This event is used to track the commit succeeded process, after the update installation, when the software update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **EventType** Indicates the purpose of the event - whether scan started, succeeded, failed, etc. +- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver". +- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **HandlerType** The specific id of the flight the device is getting. +- **RevisionNumber** Indicates the kind of content (app, driver, windows patch, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content. + + +### Microsoft.Windows.Update.WUClient.DownloadCanceled + +This event tracks the download canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActiveDownloadTime** Identifies the active total transferring time in seconds. +- **AppXBlockHashFailures** Number of block hash failures. +- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded. +- **BundleBytesDownloaded** Number of bytes downloaded for bundle. +- **BundleId** Name of application making the Windows Update request. Used to identify context of request. +- **BundleRepeatFailCount** Identifies the number of repeated download failures. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Identifies the number of bytes downloaded. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CancelReason** Reason why download is canceled. +- **CbsMethod** Identifies the CBS SelfContained method. +- **CDNCountryCode** CDN country identifier. +- **CDNId** CDN Identifier. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **ConnectTime** Identifies the total connection time in milliseconds. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **DownloadStartTime** Identifies the download start time. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HostName** Identifies the hostname. +- **IPVersion** Identifies the IP Connection Type version. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **NetworkCost** Identifies the network cost. +- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. +- **PackageFullName** Package name of the content. +- **PostDnldTime** Identifies the delay after last job in seconds. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Identifies repeated download failure count. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SizeCalcTime** Identifies time taken for payload size calculation. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TotalExpectedBytes** Identifies the total expected download bytes. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedDO** Identifies if used DO. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.DownloadFailed + +This event tracks the download failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActiveDownloadTime** Identifies the active total transferring time in seconds. +- **AppXBlockHashFailures** Number of block hash failures. +- **AppXScope** Identifies streaming app phase. +- **BundleBytesDownloaded** Number of bytes downloaded for bundle. +- **BundleId** Name of application making the Windows Update request. Used to identify context of request. +- **BundleRepeatFailCount** Identifies the number of repeated download failures. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Identifies the number of bytes downloaded. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CbsMethod** Identifies the CBS SelfContained method. +- **CDNCountryCode** Identifies the source CDN country code. +- **CDNId** CDN Identifier. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **ConnectTime** Identifies the total connection time in milliseconds. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **DownloadStartTime** Identifies the download start time. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HostName** Identifies the hostname. +- **IPVersion** Identifies the IP Connection Type version. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **NetworkCost** Identifies the network cost. +- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. +- **PackageFullName** The package name of the content. +- **PostDnldTime** Identifies the delay after last job in seconds. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Identifies repeated download failure count. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SizeCalcTime** Identifies time taken for payload size calculation. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TotalExpectedBytes** Identifies the total expected download bytes. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedDO** Identifies if used DO. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.DownloadQueued + +This event tracks the download queued event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** Regulation reason of why queued. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.DownloadStarted + +This event tracks the download started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.DownloadSucceeded + +This event tracks the successful download event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn’t actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded. +- **BundleBytesDownloaded** Indicates the bytes downloaded for bundle. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Identifies the number of repeated download failures. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: 1. Express download method was used for download. 2. SelfContained download method was used for download indicating the update had no express content. 3. SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it. 4. SelfContained download method was used indicating that range requests are not supported. 5. SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present). 6. SelfContained download method was used indicating that self-contained download method was selected previously. 7. SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold. +- **CDNCountryCode** Two letter country abbreviation for the CDN's location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **ConnectTime** Indicates the cumulative sum (in seconds) of how long it took to establish the connection for all updates in an update bundle. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **DownloadStartTime** Start time in FILETIME for the download. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6) +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network being used for downloading the update content. That could be one of the following values0x0 : Unkown0x1 : Network cost is unrestricted0x2 : Network cost is fixed0x4 : Network cost is variable0x10000 : Network cost over data limit0x20000 : Network cost congested0x40000 : Network cost roaming0x80000 : Network cost approaching data limit. +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be “metered”. +- **PackageFullName** The package name of the content. +- **PostDnldTime** Time taken, in seconds, to signal download completion after the last job has completed downloading payload. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SizeCalcTime** Time taken, in seconds, to calculate the total download size of the payload. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TotalExpectedBytes** Total count of bytes that the download is expected (total size of the download.). +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedDO** Indicates whether the download used the delivery optimization service. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.DownloadSwitchingToBITS + +This event tracks the download switching to BITS event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Name of application making the Windows Update request. Used to identify context of request. +- **BundleRevisionNumber** Identifies the number of repeated download failures. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DownloadPriority** Indicates the priority of the download activity. +- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.InstallCanceled + +This event tracks the install canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **MsiAction** Stage of MSI installation where it failed. +- **MsiProductCode** Unique identifier of the MSI installer. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** ID which represents a given MSI installation. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.InstallFailed + +This event tracks the install failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **MsiAction** Stage of MSI installation where it failed. +- **MsiProductCode** Unique identifier of the MSI installer. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** ID which represents a given MSI installation. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.InstallRebootPending + +This event tracks the install reboot pending event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **MsiAction** Stage of MSI installation where it failed. +- **MsiProductCode** Unique identifier of the MSI installer. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** ID which represents a given MSI installation. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.InstallStarted + +The event tracks the install started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **MsiAction** Stage of MSI installation where it failed. +- **MsiProductCode** Unique identifier of the MSI installer. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** ID which represents a given MSI installation. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.InstallSucceeded + +The event tracks the successful install event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **MsiAction** Stage of MSI installation where it failed. +- **MsiProductCode** Unique identifier of the MSI installer. +- **PackageFullName** The package name of the content. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** ID which represents a given MSI installation. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.RevertFailed + +This event tracks the revert failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.RevertStarted + +This event tracks the revert started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.RevertSucceeded + +The event tracks the successful revert event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation where it failed. +- **DeploymentMutexId** Mutex identifier of the deployment operation. +- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. +- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of that flight. +- **FlightId** The specific id of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClient.UpdateDetected + +This event tracks the update detected event when the software update client is trying to update the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClientExt.DataStoreHealth + +This event tracks the health of the data store. The data store stores updated metadata synced from the update services, service endpoint information synced from SLS services, and in-progress update data so the update client can continue to serve after reboot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **EventScenario** Indicates the purpose of the event, for example, whether the scan started, succeeded or failed. +- **StatusCode** The result code of the event (success, cancellation, failure code HResult). + + +### Microsoft.Windows.Update.WUClientExt.DownloadCheckpoint + +This is a checkpoint event between the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **FileId** Unique identifier for the downloaded file. +- **FileName** Name of the downloaded file. +- **FlightId** The specific id of the flight the device is getting. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateId** Identifier associated with the specific piece of content. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClientExt.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content. +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat. +- **CurrentError** Last (transient) error encountered by the active download. +- **DownloadFlags** Flags indicating if power state is ignored. +- **DownloadState** Current state of the active download for this content (queued, suspended, progressing). +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting. +- **IsNetworkMetered** Indicates whether Windows considered the current network to be “metered”. +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any. +- **MOUpdateDownloadLimit** Mobile operator cap on size of OS update downloads, if any. +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, Connected Standby). +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ResumeCount** Number of times this active download has resumed from a suspended state. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SuspendCount** Number of times this active download has entered a suspended state. +- **SuspendReason** Last reason for which this active download has entered suspended state. +- **UpdateId** Identifier associated with the specific piece of content. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrity + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** Endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **ListOfSHA256OfIntermediateCerData** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id). +- **MetadataSignature** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. +- **RawValidityWindowInDays** Raw unparsed mode string from the SLS response. May be null if not applicable. +- **RevisionId** Identifies the revision of this specific piece of content. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SHA256OfLeafCerData** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. +- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key. +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. +- **SignatureAlgorithm** Hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. +- **UpdateId** Identifier associated with the specific piece of content. +- **ValidityWindowInDays** Validity window in days. + + +### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityFragmentSigning + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Field indicating the sub-phase event scenario. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **ListOfSHA256OfIntermediateCerData** List of Base64 string of hash of intermediate cert data. +- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id). +- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. +- **RawValidityWindowInDays** Raw unparsed string of validity window in effect when verifying the timestamp. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SHA256OfLeafCerData** Base64 string of hash of the leaf cert data. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). + + +### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegritySignature + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Field indicating the sub-phase event scenario. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. +- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id). +- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. +- **RevisionId** Identifies the revision of this specific piece of content. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key. +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. +- **SignatureAlgorithm** Hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is malformed and decoding failed. +- **UpdateId** Identifier associated with the specific piece of content. + + +### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityTimestamp + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp. + + +### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed + +This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **LoadProps** A bitmask for flags associated with loading the undocked module. +- **ModulePath** Path of the undocked module. +- **ModuleVersion** Version of the undocked module. +- **PinkyFlags** PinkyFlags used to create the UUS session. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **StatusCode** Result of the undocked module loading operation. +- **UusSessionID** Unique ID used to create the UUS session. +- **UusVersion** Active UUS version. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + +## Windows Update mitigation events + +### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ActivityError + +This event provides information for error encountered when enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshooting + +This event provides information for the operation of enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete + +This event provides summary information after attempting to enable In-Place Upgrade. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **applicable** The operations that were needed to be attempted. +- **failed** Result of the individual operations that were attempted. +- **hr** Result of the overall operation to evaluate and enable In-Place Upgrade. + + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupWimmountSysPath + +This event sends data specific to the FixupWimmountSysPath mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. +- **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **RelatedCV** Correlation vector value. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **ScenarioSupported** Whether the updated scenario that was passed in was supported. +- **SessionId** The UpdateAgent “SessionId” value. +- **UpdateId** Unique identifier for the Update. +- **WuId** Unique identifier for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.BeginScenario + +This event is sent when the Update Reserve Manager is called to begin a scenario. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Flags** The flags that are passed to the begin scenario function. +- **HardReserveSize** The size of the hard reserve. +- **HardReserveUsedSpace** The used space in the hard reserve. +- **OwningScenarioId** The scenario ID the client that called the begin scenario function. +- **ReturnCode** The return code for the begin scenario operation. +- **ScenarioId** The scenario ID that is internal to the reserve manager. +- **SoftReserveSize** The size of the soft reserve. +- **SoftReserveUsedSpace** The amount of soft reserve space that was used. + + +### Microsoft.Windows.UpdateReserveManager.ClearReserve + +This event is sent when the Update Reserve Manager clears one of the reserves. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared. +- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared. +- **ReserveId** The ID of the reserve that needs to be cleared. + + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition or removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.EndScenario + +This event is sent when the Update Reserve Manager ends an active scenario. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ActiveScenario** The current active scenario. +- **Flags** The flags passed to the end scenario call. +- **HardReserveSize** The size of the hard reserve when the end scenario is called. +- **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called. +- **ReturnCode** The return code of this operation. +- **ScenarioId** The ID of the internal reserve manager scenario. +- **SoftReserveSize** The size of the soft reserve when end scenario is called. +- **SoftReserveUsedSpace** The amount of the soft reserve used when end scenario is called. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeReserves + +This event is sent when reserves are initialized on the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FallbackInitUsed** Indicates whether fallback initialization is used. +- **FinalUserFreeSpace** The amount of user free space after initialization. +- **Flags** The flags used in the initialization of Update Reserve Manager. +- **FreeSpaceToLeaveInUpdateScratch** The amount of space that should be left free after using the reserves. +- **HardReserveFinalSize** The final size of the hard reserve. +- **HardReserveFinalUsedSpace** The used space in the hard reserve. +- **HardReserveInitialSize** The size of the hard reserve after initialization. +- **HardReserveInitialUsedSpace** The utilization of the hard reserve after initialization. +- **HardReserveTargetSize** The target size that was set for the hard reserve. +- **InitialUserFreeSpace** The user free space during initialization. +- **PostUpgradeFreeSpace** The free space value passed into the Update Reserve Manager to determine reserve sizing post upgrade. +- **SoftReserveFinalSize** The final size of the soft reserve. +- **SoftReserveFinalUsedSpace** The used space in the soft reserve. +- **SoftReserveInitialSize** The soft reserve size after initialization. +- **SoftReserveInitialUsedSpace** The utilization of the soft reserve after initialization. +- **SoftReserveTargetSize** The target size that was set for the soft reserve. +- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade. +- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve. +- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FallbackLogicUsed** Indicates whether fallback logic was used for initialization. +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy + +This event is sent when the Update Reserve Manager reevaluates policy to determine reserve usage. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **PolicyChanged** Indicates whether the policy has changed. +- **PolicyFailedEnum** The reason why the policy failed. +- **PolicyPassed** Indicates whether the policy passed. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date. + + + +### Microsoft.Windows.UpdateReserveManager.TurnOffReserves + +This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Flags** Flags used in the turn off reserves function. +- **HardReserveSize** The size of the hard reserve when Turn Off is called. +- **HardReserveUsedSpace** The amount of space used by the hard reserve when Turn Off is called +- **ScratchReserveSize** The size of the scratch reserve when Turn Off is called. +- **ScratchReserveUsedSpace** The amount of space used by the scratch reserve when Turn Off is called. +- **SoftReserveSize** The size of the soft reserve when Turn Off is called. +- **SoftReserveUsedSpace** The amount of the soft reserve used when Turn Off is called. + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. \ No newline at end of file diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index fdaf967827..535d41535f 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,5 +1,5 @@ --- -description: Learn what required Windows diagnostic data is gathered. +description: Use this article to learn more about what required Windows diagnostic data is gathered. title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/28/2021 +ms.date: 10/04/2021 --- -# Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -30,7 +30,6 @@ ms.date: 04/28/2021 - Windows 10, version 20H2 - Windows 10, version 2004 - Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -39,6 +38,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -49,7 +49,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -250,6 +249,18 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. +- **DecisionSModeState_20H1** The total number of objects of this type present on this device. +- **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_21H1** The total number of objects of this type present on this device. +- **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_20H1** The total number of objects of this type present on this device. @@ -265,6 +276,66 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. @@ -277,6 +348,30 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryLanguagePack** The total number of objects of this type present on this device. - **InventoryMediaCenter** The total number of objects of this type present on this device. @@ -962,6 +1057,8 @@ The following fields are available: - **CpuModel** Cpu model. - **CpuStepping** Cpu stepping. - **CpuVendor** Cpu vendor. +- **PlatformId** CPU platform identifier. +- **SysReqOverride** Appraiser decision about system requirements override. ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync @@ -1009,6 +1106,7 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. - **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **SysReqOverride** Appraiser decision about system requirements override. - **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. @@ -1830,6 +1928,7 @@ This event sends data about the mobile and cellular network used by the device ( The following fields are available: +- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry. - **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. - **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. - **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. @@ -1841,9 +1940,12 @@ The following fields are available: - **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. - **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. - **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support. - **NetworkAdapterGUID** The GUID of the primary network adapter. - **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of. +- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of. ### Census.OS @@ -1949,6 +2051,7 @@ The following fields are available: - **ProcessorManufacturer** Name of the processor manufacturer. - **ProcessorModel** Name of the processor model. - **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorPlatformSpecificField1** Registry value HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0, @Platform Specific Field 1. Platform Specific Field 1 of the Processor. Each vendor (e.g. Intel) defines the meaning differently. On Intel this is used to differentiate processors of the same generation, (e.g. Kaby Lake, KBL-G, KBL-H, KBL-R). - **ProcessorUpdateRevision** The microcode revision. - **ProcessorUpdateStatus** Enum value that represents the processor microcode load status - **SocketCount** Count of CPU sockets. @@ -1968,6 +2071,7 @@ The following fields are available: - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled. +- **NGCSecurityProperties** String representation of NGC security information. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. - **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. - **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature. @@ -2342,7 +2446,6 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -3346,6 +3449,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **AndroidPackageId** A unique identifier for an Android app. - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 @@ -3592,7 +3696,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3846,6 +3950,7 @@ The following fields are available: - **ProductVersion** The version associated with the Office add-in. - **ProgramId** The unique program identifier of the Microsoft Office add-in. - **Provider** Name of the provider for this add-in. +- **Usage** Data about usage for the add-in. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -3870,6 +3975,14 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUexIndicatorStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4037,9 +4150,10 @@ The following fields are available: - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4062,6 +4176,7 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. - **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. @@ -4069,9 +4184,10 @@ The following fields are available: - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4102,9 +4218,10 @@ The following fields are available: - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4135,9 +4252,10 @@ The following fields are available: - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4167,10 +4285,13 @@ The following fields are available: - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. +- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appLastLaunchTime** The time when browser was last launched. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. @@ -4187,9 +4308,11 @@ The following fields are available: - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply. - **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. - **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. - **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. @@ -4249,9 +4372,10 @@ The following fields are available: - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. +- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4495,6 +4619,196 @@ The following fields are available: - **totalRuns** Total number of running/evaluation from last time. +## Other events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4549,6 +4863,29 @@ The following fields are available: - **Status** It indicates details about the status for getting the disk device object during boot. +### Microsoft.Windows.Setup.WinSetupBoot.Success + +This event sends data indicating that the device has invoked the WinSetupBoot successfully. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **Action** It indicates phase/stage of operation. As success event fires on exiting the operation, this value must be 'Exiting'. +- **Duration(ms)** Duration of filter setup instance operation in milliseconds. +- **Rollback** It is blank as this event triggers in success scenario only. + + +### Microsoft.Windows.Setup.WinSetupBoot.Warning + +This event is used to indicate whether there were any warnings when we were trying to skip a reboot during feature upgrade. The data collected with this event helps keep Windows product and service up to date​. + +The following fields are available: + +- **Action** Action indicates what operation was being performed by the filter driver (Ex: Waiting, Exiting). +- **Detail** Add detail to the operation listed above (Ex: Blocked thread timed out). +- **Rollback** Indicates whether a rollback was triggered (0 or 1). +- **Status** Indicates the status code for the operation (Ex: 0, 258 etc.). + + ### SetupPlatformTel.SetupPlatformTelActivityEvent This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. @@ -4617,12 +4954,14 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** The device model. +- **DeviceModel** What is the device model. - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExcludedUpdateClasses** Update classifications being excluded via policy. +- **ExcludedUpdates** UpdateIds which are currently being excluded via policy. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. @@ -4671,6 +5010,7 @@ The following fields are available: - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TargetProductVersion** Indicates the Product version selected to move to or stay on. - **TargetReleaseVersion** The value selected for the target release version policy. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. @@ -4709,37 +5049,57 @@ The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. - **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. - **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **HostName** The hostname URL the content is downloading from. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -4747,14 +5107,24 @@ The following fields are available: - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. - **TotalExpectedBytes** The total count of bytes that the download is expected to be. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedDO** Whether the download used the delivery optimization service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5022,6 +5392,7 @@ The following fields are available: - **SignatureAlgorithm** The hash algorithm for the metadata signature. - **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast - **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. - **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. @@ -5029,21 +5400,6 @@ The following fields are available: ## Surface events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData** Battery Performance data. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. @@ -5086,6 +5442,7 @@ The following fields are available: - **CV** Correlation vector. - **dayspendingrebootafterfu** Number of days that have elapsed since the device reached ready to reboot for a Feature Update that is still actively pending reboot. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. - **KBNumber** KBNumber of the update being installed. - **PackageVersion** Current package version of quality update assistant. @@ -5101,6 +5458,7 @@ The following fields are available: - **activeProcesses** Number of active processes. - **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded. +- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter. - **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. - **countDownloadedPayload** Count instances of payload downloaded. - **description** Description of failure. @@ -5142,6 +5500,7 @@ This event is raised when a targeted mitigation is rejected by the device based The following fields are available: +- **callerId** It is a GUID to identify the component that is calling into Mitigation Client APIs. It can be: Task Scheduler, Settings App, or GetHelp App. - **description** String describing why a mitigation was rejected. - **mitigationId** GUID identifier for a mitigation. - **mitigationVersion** Version of the mitigation. @@ -5156,11 +5515,14 @@ This event is raised after an executable delivered by Mitigation Service has suc The following fields are available: - **activeProcesses** Number of active processes. +- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter. - **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. - **devicePreference** Recommended troubleshooting setting on the device. - **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe. - **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab. - **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option. +- **exitCode** Exit code of the execution of the mitigation. +- **exitCodeDefinition** String describing the meaning of the exit code returned by the mitigation (i.e. ProblemNotFound). - **experimentFeatureId** Experiment feature ID. - **experimentFeatureState** Feature state for the experiment. - **mitigationId** ID value of the mitigation. @@ -5189,6 +5551,21 @@ The following fields are available: - **PackageVersion** The package version label. +### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted + +This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. @@ -5487,6 +5864,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter for counting total events for the provider. - **PackageVersion** The version for the current package. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -5510,29 +5888,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. ## Update events @@ -6264,7 +6619,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event. +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. The following fields are available: @@ -6995,80 +7350,6 @@ The following fields are available: ## Windows Update events -### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign - -This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **ControlId** String identifying the control (if any) that was selected by the user during presentation. -- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. -- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. -- **InteractionCampaignID** The ID of the interaction campaign that was processed. -- **ResultId** The result of the evaluation/presentation. -- **WasCompleted** True if the interaction campaign is complete. -- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit - -This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. - - - -### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch - -This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **CommandLine** The command line used to launch RUXIMICS. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent - -This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. -- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. -- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. -- **ResultId** The result generated by the evaluation and presentation. -- **WasCompleted** True if the user interaction campaign is complete. -- **WasPresented** True if the user interaction campaign is displayed to the user. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit - -This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch - -This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **CommandLine** The command line used to launch RUXIMIH. -- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation - -This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) -- **Id** GUID passed in by the caller to identify the evaluation. -- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. -- **Result** Overall result generated by the evaluation. - ### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. @@ -7625,6 +7906,21 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows secure and up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to date. @@ -7727,6 +8023,105 @@ The following fields are available: - **wuDeviceid** Represents device ID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + ## Windows Update mitigation events ### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete @@ -7832,6 +8227,7 @@ This event is sent when the Update Reserve Manager clears one of the reserves. T The following fields are available: - **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared. +- **Flags** The context of clearing the reserves. - **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared. - **ReserveId** The ID of the reserve that needs to be cleared. diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index b631e434ef..25fc676681 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -1,7 +1,7 @@ - name: Privacy href: index.yml items: - - name: "Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals" + - name: "Windows Privacy Compliance: A Guide for IT and Compliance Professionals" href: windows-10-and-privacy-compliance.md - name: Configure Windows diagnostic data in your organization href: configure-windows-diagnostic-data-in-your-organization.md @@ -15,6 +15,8 @@ href: Microsoft-DiagnosticDataViewer.md - name: Required Windows diagnostic data events and fields items: + - name: Required Windows 11 diagnostic data events and fields + href: required-windows-11-diagnostic-events-and-fields.md - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields @@ -29,18 +31,24 @@ href: basic-level-windows-diagnostic-events-and-fields-1703.md - name: Optional Windows diagnostic data events and fields items: - - name: Windows 10, version 1709 and newer optional diagnostic data + - name: Windows 10, version 1709 and later and Windows 11 optional diagnostic data href: windows-diagnostic-data.md - name: Windows 10, version 1703 optional diagnostic data href: windows-diagnostic-data-1703.md - name: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy href: enhanced-diagnostic-data-windows-analytics-events-and-fields.md - - name: Manage Windows 10 connection endpoints + - name: Manage Windows connected experiences items: - name: Manage connections from Windows operating system components to Microsoft services href: manage-connections-from-windows-operating-system-components-to-microsoft-services.md - name: Manage connections from Windows operating system components to Microsoft services using MDM href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md + - name: Essential services and connected experiences for Windows + href: essential-services-and-connected-experiences.md + - name: Connection endpoints for Windows 11 + href: manage-windows-11-endpoints.md + - name: Connection endpoints for Windows 10, version 21H1 + href: manage-windows-21H1-endpoints.md - name: Connection endpoints for Windows 10, version 20H2 href: manage-windows-20H2-endpoints.md - name: Connection endpoints for Windows 10, version 2004 @@ -55,6 +63,10 @@ href: manage-windows-1803-endpoints.md - name: Connection endpoints for Windows 10, version 1709 href: manage-windows-1709-endpoints.md + - name: Connection endpoints for non-Enterprise editions of Windows 11 + href: windows-11-endpoints-non-enterprise-editions.md + - name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1 + href: windows-endpoints-21H1-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 20H2 href: windows-endpoints-20H2-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004 diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index cfe581ed04..0930e7356b 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -1,6 +1,6 @@ --- -title: Windows 10 & Privacy Compliance Guide -description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10. +title: Windows Privacy Compliance Guide +description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows. keywords: privacy, GDPR, compliance ms.prod: w10 ms.mktglfcycl: manage @@ -13,67 +13,65 @@ ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/21/2020 +ms.date: 10/04/2021 --- -# Windows 10 & Privacy Compliance:
      A Guide for IT and Compliance Professionals +# Windows Privacy Compliance:
      A Guide for IT and Compliance Professionals Applies to: -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Professional -- Windows Server 2016 and newer +- Windows 10 and 11 Enterprise +- Windows 10 and 11 Education +- Windows 10 and 11 Professional +- Windows Server 2016 and later ## Overview -At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10. +At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows. -Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. +Microsoft collects data through multiple interactions with users of Windows devices. This information can contain personal data that may be used to provide, secure and improve Windows, and to provide connected experiences. To help users and organizations control the collection of personal data, Windows provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. -This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR) +This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR). -## 1. Windows 10 data collection transparency +## 1. Windows data collection transparency -Transparency is an important part of the data collection process in Windows 10. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up. +Transparency is an important part of the data collection process in Windows. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device setup. ### 1.1 Device set up experience and support for layered transparency When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs. -The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information. +The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information. > [!NOTE] -> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This table is limited to the privacy settings that are most commonly available when setting up a current version of Windows 10 or newer. For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -| Feature/Setting | Description | Supporting Content | Privacy Statement | +| Feature/Setting | Description | Supporting content | Privacy statement | | --- | --- | --- | --- | -| Diagnostic Data |

      Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.

      Diagnostic data is categorized into the following:

      • **Required diagnostic data**
        Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
      • **Optional diagnostic data**
        Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).

      | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

      [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | -| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | -| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) | +| Diagnostic Data |

      Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.

      Diagnostic data is categorized into the following:

      • **Required diagnostic data**
        Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
      • **Optional diagnostic data**
        Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).

      | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

      [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | +| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | | Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) | | Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) | | Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | | Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | -| Activity History/Timeline – Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) | -| Cortana |

      Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content, and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.

      Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.

      | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)

      [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) | + ### 1.2 Data collection monitoring -[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and newer) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected. +[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and later and Windows 11) that lets a user review the Windows diagnostic data that is being collected on their Windows device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected. An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information. > [!Note] > If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). -## 2. Windows 10 data collection management +## 2. Windows data collection management -Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article. +Windows provides the ability to manage privacy settings through several different methods. Users can change their privacy settings by opening the Settings app in Windows, or the organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article. ### 2.1 Privacy setting options for users -Once a Windows 10 device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device. +Once a Windows device is set up, a user can manage data collection settings by opening the Settings app in Windows. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to the settings page. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device. ### 2.2 Privacy setting controls for administrators @@ -82,15 +80,15 @@ Administrators can configure and control privacy settings across their organizat The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. > [!NOTE] -> This is not a complete list of settings that involve connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This is not a complete list of settings that involve managing data collection or connecting to connected experiences in Windows. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection | +| Connected experience /setting | GP/MDM documentation | Default state if the setup experience is suppressed | State to stop/minimize data collection | |---|---|---|---| | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
      **Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

      MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | -| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
      **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

      MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off | +| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
      **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

      MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later and Windows 11) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
      **Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

      MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
      **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

      MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

      **Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)

      Server editions:
      Enhanced diagnostic data | Security (Off) and block endpoints | -| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
      **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

      MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:
      **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)

      MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

      **Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)

      Server editions:
      Enhanced diagnostic data | Security (Off) and block endpoints | +| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
      **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

      MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off | | Tailored Experiences | Group Policy:
      **User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

      MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
      **Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

      MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | | Activity History/Timeline – Cloud Sync | Group Policy:
      **Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**

      MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off | @@ -108,55 +106,56 @@ If you want the ability to fully control and apply restrictions on data being se Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies. -You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10: +You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows: - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) -#### _2.3.2 Managing connections from Windows components to Microsoft services_ +#### _2.3.2 Managing Windows connected experiences and essential services_ -Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows components. +Windows includes features that connect to the internet to provide enhanced experiences and additional service-based capabilities. These features are called connected experiences. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. -For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable. +Essential services are services in the product that connect to Microsoft to keep the product secure, up to date and performing as expected, or are integral to how the product works. For example, the licensing service that confirms that you’re properly licensed to use Windows. -#### _2.3.3 Managing Windows 10 connections_ +[Windows essential services and connected experiences](essential-services-and-connected-experiences.md) provides a list of the most common Windows essential services and connected experiences. -Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives. +When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. Administrators can manage the data sent from their organization to Microsoft by configuring settings that are associated with the functionality provided by Windows connected experiences and essential services. For more information, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This article includes the different methods available to configure each setting, the impact to functionality, and the versions of Windows that are applicable. -[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu. +The article [Manage connection endpoints for Windows 11 Enterprise](manage-windows-11-endpoints.md) provides a list of endpoints to which data is transferred by Windows connected experiences for the latest Windows release, along with descriptions of any functionality that would be impacted by restricting data collection. -#### _2.3.4 Limited functionality baseline_ +#### _2.3.3 Limited functionality baseline_ An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. >[!IMPORTANT] > - We recommend that you fully test any modifications to these settings before deploying them in your organization. -> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off. +> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying it to ensure the Windows diagnostic setting is not turned off. -#### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_ +#### _2.3.4 Diagnostic data: Managing notifications for change of level at logon_ -Starting with Windows 10, version 1803, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`. +Starting with Windows 10, version 1803 and Windows 11, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`. -#### _2.3.6 Diagnostic data: Managing end user choice for changing the setting_ +#### _2.3.5 Diagnostic data: Managing end user choice for changing the setting_ -Windows 10, version 1803 and newer allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by going into **Settings** > **Privacy** > **Diagnostics & feedback**. Administrators can restrict a user’s ability to change the setting using **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`. +Windows 10, version 1803 and later and Windows 11 allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by opening the Settings app in Windows and navigating to **Diagnostic & feedback**. Administrators can restrict a user’s ability to change the setting by enabling the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`. -#### _2.3.7 Diagnostic data: Managing device-based data delete_ +#### _2.3.6 Diagnostic data: Managing device-based data delete_ -Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. +Windows 10, version 1809 and later and Windows 11 allow a user to delete diagnostic data collected from their device by opening the Settings app in Windows and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. >[!Note] >If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the powershell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal. -#### _2.3.8 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ +#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ **Applies to:** -- Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer +- Windows 11 Enterprise, Professional, and Education editions +- Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. @@ -174,20 +173,20 @@ For more information on how Microsoft can help you honor rights and fulfill obli ## 3. The process for exercising data subject rights -This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device. +This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows device. For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below. ### 3.1 Delete -Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. +Users can delete their device-based data by opening the Windows settings app and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal. ### 3.2 View -The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet. +The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal. @@ -216,7 +215,7 @@ The following sections provide details about how privacy data is collected and m ### 5.1 Windows Server 2016 and newer -Windows Server follows the same mechanisms as Windows 10 for handling of personal data. +Windows Server follows the same mechanisms as Windows 10 (and newer versions) for handling of personal data. >[!Note] >The Windows diagnostic data processor configuration is not available for Windows Server. @@ -235,15 +234,15 @@ An administrator can configure privacy-related settings, such as choosing to onl ### 5.3 Desktop Analytics -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function. +[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows and is dependent on enabling a minimum set of data collection on the device to function. ### 5.4 Microsoft Managed Desktop -[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services. +[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services. ### 5.5 Update Compliance -[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows 10 Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows 10 diagnostic data for all its reporting. +[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting. ## Additional Resources diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md new file mode 100644 index 0000000000..1e8dc3c6e9 --- /dev/null +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -0,0 +1,246 @@ +--- +title: Windows 11 connection endpoints for non-Enterprise editions +description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- +# Windows 11 connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 11 + +In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-11-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 11. + +The following methodology was used to derive the network endpoints: + +1. Set up the latest version of Windows 11 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week. If you capture traffic for longer, you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 11 Family + +| **Area** | **Description** | **Protocol** | **Destination** | +|-----------|--------------- |------------- |-----------------| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||HTTPS/HTTP|k-ring.msedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net| +|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net| +|||HTTPS/HTTP|dev.virtualearth.net| +|||HTTPS/HTTP|ecn.dev.virtualearth.net| +|||HTTPS/HTTP|ssl.bing.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com
      edge.microsoft.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||HTTP|roaming.officeapps.live.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|api.onedrive.com| +|||HTTPS/HTTP|skydrivesync.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com
      wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +|||TLSv1.2|definitionupdates.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*
      ris.api.iris.microsoft.com| +|||HTTPS|mucp.api.account.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| +|||HTTPS|www.xboxab.com| + + +## Windows 11 Pro + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com
      wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*
      ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| + + + + +## Windows 11 Education + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|odinvzc.azureedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com
      wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*
      ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index f80e09a6a4..11c346e2e5 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -1,5 +1,5 @@ --- -title: Windows 10, version 1709 and newer optional diagnostic data (Windows 10) +title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10) description: Use this article to learn about the types of optional diagnostic data that is collected. keywords: privacy,Windows 10 ms.prod: w10 @@ -15,9 +15,10 @@ ms.topic: article ms.reviewer: --- -# Windows 10, version 1709 and newer optional diagnostic data +# Windows 10, version 1709 and later and Windows 11 optional diagnostic data Applies to: +- Windows 11 - Windows 10, version 20H2 - Windows 10, version 2004 - Windows 10, version 1909 @@ -26,7 +27,7 @@ Applies to: - Windows 10, version 1803 - Windows 10, version 1709 -Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields). +Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of optional diagnostic data collected by Windows, with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 11 required diagnostic events and fields](/windows/privacy/required-windows-11-diagnostic-events-and-fields). In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. @@ -44,7 +45,7 @@ The data covered in this article is grouped into the following types: Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944-1:2020. **Data Use for Common data extensions** -Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. +Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10 and Windows 11, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. ### Data Description for Common data extensions type @@ -52,7 +53,7 @@ Header data supports the use of data associated with all diagnostic events. Ther Information that is added to most diagnostic events, if relevant and available: -- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability) +- Diagnostic level - Required or Optional, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability) - Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data) - Event collection time (8.2.3.2.2 Telemetry data) - User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data) @@ -71,7 +72,7 @@ This type of data includes details about the device, its configuration and conne ### Data Use for Device, Connectivity, and Configuration data **For Diagnostics:**
      -[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example: +[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft products and services. For example: - Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example: @@ -81,10 +82,10 @@ This type of data includes details about the device, its configuration and conne - Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update. - Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update. -- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. +- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users. **With (optional) Tailored experiences:**
      -If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: +If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11users. For example: - Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience. @@ -183,17 +184,17 @@ This type of data includes details about the usage of the device, operating syst ### Data Use for Product and Service Usage data **For Diagnostics:**
      -[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: +[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: -- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. -- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. +- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. +- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users. - Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature. - Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process. - Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana. - Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app. **With (optional) Tailored experiences:**
      -If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature. - Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid. @@ -247,7 +248,7 @@ This type of data includes details about the health of the device, operating sys ### Data Use for Product and Service Performance data **For Diagnostics:**
      -[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: +[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations. - Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance. @@ -255,7 +256,7 @@ This type of data includes details about the health of the device, operating sys - Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance. **With (optional) Tailored experiences:**
      -If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. - Data about battery performance on a device may be used to recommend settings changes that can improve battery performance. - If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space. @@ -360,7 +361,7 @@ This type of data includes software installation and update information on the d ### Data Use for Software Setup and Inventory data **For Diagnostics:**
      -[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: +[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update. - Data about when a download starts and finishes on a device is used to understand and address download problems. @@ -368,7 +369,7 @@ This type of data includes software installation and update information on the d - Data about the antimalware installed on a device is used to understand malware transmissions vectors. **With (optional) Tailored experiences:**
      -If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store. @@ -402,7 +403,7 @@ This type of data includes details about web browsing in the Microsoft browsers. ### Data Use for Browsing History data **For Diagnostics:**
      -[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: +[Pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content. - Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain. @@ -411,7 +412,7 @@ This type of data includes details about web browsing in the Microsoft browsers. - Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page. **With (optional) Tailored experiences:**
      -If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app. @@ -434,13 +435,13 @@ This type of data gathers details about the voice, inking, and typing input feat ### Data Use for Inking, Typing, and Speech Utterance data **For Diagnostics:**
      -[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example: +[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 and Windows 11 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example: - Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature. - Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature. - Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature. - Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition. -- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. +- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. **With (optional) Tailored experiences:** @@ -455,7 +456,6 @@ This type of data gathers details about the voice, inking, and typing input feat - Palm Touch x,y coordinates - Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate - Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user -- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user - Text of speech recognition results - result codes and recognized text - Language and model of the recognizer and the System Speech language - App ID using speech features diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md new file mode 100644 index 0000000000..6fde4a825a --- /dev/null +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -0,0 +1,260 @@ +--- +title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- +# Windows 10, version 21H1, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 21H1 +- Windows 10 Professional, version 21H1 +- Windows 10 Education, version 21H1 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-21H1-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 21H1. + +The following methodology was used to derive the network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week. If you capture traffic for longer, you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Area** | **Description** | **Protocol** | **Destination** | +|-----------|--------------- |------------- |-----------------| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||HTTPS/HTTP|k-ring.msedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net| +|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net| +|||HTTPS/HTTP|dev.virtualearth.net| +|||HTTPS/HTTP|ecn.dev.virtualearth.net| +|||HTTPS/HTTP|ssl.bing.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com| +|||HTTPS/HTTP|edge.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/| +|||TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||HTTP|roaming.officeapps.live.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|api.onedrive.com| +|||HTTPS/HTTP|skydrivesync.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +|||TLSv1.2|definitionupdates.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|||HTTPS|mucp.api.account.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| +|||HTTPS|www.xboxab.com| +| + +## Windows 10 Pro + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| +| + +## Windows 10 Education + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|odinvzc.azureedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
      If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 70e61e303f..d150e02df0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,9 +1,470 @@ -- name: Security + +- name: Windows security href: index.yml +- name: Zero Trust and Windows + href: zero-trust-windows-device-health.md + expanded: true +- name: Hardware security items: - - name: Identity and access management - href: identity-protection/index.md - - name: Information protection - href: information-protection/index.md - - name: Threat protection - href: threat-protection/index.md + - name: Overview + href: hardware.md + - name: Trusted Platform Module + href: information-protection/tpm/trusted-platform-module-top-node.md + items: + - name: Trusted Platform Module Overview + href: information-protection/tpm/trusted-platform-module-overview.md + - name: TPM fundamentals + href: information-protection/tpm/tpm-fundamentals.md + - name: How Windows uses the TPM + href: information-protection/tpm/how-windows-uses-the-tpm.md + - name: TPM Group Policy settings + href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md + - name: Back up the TPM recovery information to AD DS + href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md + - name: View status, clear, or troubleshoot the TPM + href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md + - name: Understanding PCR banks on TPM 2.0 devices + href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md + - name: TPM recommendations + href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust + href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - name: System Guard Secure Launch and SMM protection + href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - name: Enable virtualization-based protection of code integrity + href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - name: Kernel DMA Protection + href: information-protection/kernel-dma-protection-for-thunderbolt.md + - name: Windows secured-core devices + href: /windows-hardware/design/device-experiences/oem-highly-secure +- name: Operating system security + items: + - name: Overview + href: operating-system.md + - name: System security + items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md + - name: Trusted Boot + href: trusted-boot.md + - name: Cryptography and certificate management + href: cryptography-certificate-mgmt.md + - name: The Windows Security app + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md + - name: Encryption and data protection + href: encryption-data-protection.md + items: + - name: Encrypted Hard Drive + href: information-protection/encrypted-hard-drive.md + - name: BitLocker + href: information-protection/bitlocker/bitlocker-overview.md + items: + - name: Overview of BitLocker Device Encryption in Windows + href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md + - name: BitLocker frequently asked questions (FAQ) + href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml + items: + - name: Overview and requirements + href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml + - name: Upgrading + href: information-protection/bitlocker/bitlocker-upgrading-faq.yml + - name: Deployment and administration + href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml + - name: Key management + href: information-protection/bitlocker/bitlocker-key-management-faq.yml + - name: BitLocker To Go + href: information-protection/bitlocker/bitlocker-to-go-faq.yml + - name: Active Directory Domain Services + href: information-protection/bitlocker/bitlocker-and-adds-faq.yml + - name: Security + href: information-protection/bitlocker/bitlocker-security-faq.yml + - name: BitLocker Network Unlock + href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml + - name: General + href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml + - name: "Prepare your organization for BitLocker: Planning and policies" + href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: information-protection/bitlocker/bitlocker-deployment-comparison.md + - name: BitLocker basic deployment + href: information-protection/bitlocker/bitlocker-basic-deployment.md + - name: Deploy BitLocker on Windows Server 2012 and later + href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md + - name: BitLocker management for enterprises + href: information-protection/bitlocker/bitlocker-management-for-enterprises.md + - name: Enable Network Unlock with BitLocker + href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md + - name: Use BitLocker Drive Encryption Tools to manage BitLocker + href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md + - name: Use BitLocker Recovery Password Viewer + href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md + - name: BitLocker Group Policy settings + href: information-protection/bitlocker/bitlocker-group-policy-settings.md + - name: BCD settings and BitLocker + href: information-protection/bitlocker/bcd-settings-and-bitlocker.md + - name: BitLocker Recovery Guide + href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md + - name: BitLocker Countermeasures + href: information-protection/bitlocker/bitlocker-countermeasures.md + - name: Protecting cluster shared volumes and storage area networks with BitLocker + href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md + - name: Troubleshoot BitLocker + items: + - name: Troubleshoot BitLocker + href: information-protection/bitlocker/troubleshoot-bitlocker.md + - name: "BitLocker cannot encrypt a drive: known issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md + - name: "Enforcing BitLocker policies by using Intune: known issues" + href: information-protection/bitlocker/ts-bitlocker-intune-issues.md + - name: "BitLocker Network Unlock: known issues" + href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md + - name: "BitLocker recovery: known issues" + href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md + - name: "BitLocker configuration: known issues" + href: information-protection/bitlocker/ts-bitlocker-config-issues.md + - name: Troubleshoot BitLocker and TPM issues + items: + - name: "BitLocker cannot encrypt a drive: known TPM issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md + - name: "BitLocker and TPM: other known issues" + href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md + - name: Decode Measured Boot logs to track PCR changes + href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md + - name: Network security + items: + - name: VPN technical guide + href: identity-protection/vpn/vpn-guide.md + items: + - name: VPN connection types + href: identity-protection/vpn/vpn-connection-type.md + - name: VPN routing decisions + href: identity-protection/vpn/vpn-routing.md + - name: VPN authentication options + href: identity-protection/vpn/vpn-authentication.md + - name: VPN and conditional access + href: identity-protection/vpn/vpn-conditional-access.md + - name: VPN name resolution + href: identity-protection/vpn/vpn-name-resolution.md + - name: VPN auto-triggered profile options + href: identity-protection/vpn/vpn-auto-trigger-profile.md + - name: VPN security features + href: identity-protection/vpn/vpn-security-features.md + - name: VPN profile options + href: identity-protection/vpn/vpn-profile-options.md + - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections + href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md + - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections + href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md + - name: Optimizing Office 365 traffic with the Windows VPN client + href: identity-protection/vpn/vpn-office-365-optimization.md + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md + - name: Virus & threat protection + items: + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Security intelligence + href: threat-protection/intelligence/index.md + items: + - name: Understand malware & other threats + href: threat-protection/intelligence/understanding-malware.md + items: + - name: Prevent malware infection + href: threat-protection/intelligence/prevent-malware-infection.md + - name: Malware names + href: threat-protection/intelligence/malware-naming.md + - name: Coin miners + href: threat-protection/intelligence/coinminer-malware.md + - name: Exploits and exploit kits + href: threat-protection/intelligence/exploits-malware.md + - name: Fileless threats + href: threat-protection/intelligence/fileless-threats.md + - name: Macro malware + href: threat-protection/intelligence/macro-malware.md + - name: Phishing + href: threat-protection/intelligence/phishing.md + - name: Ransomware + href: /security/compass/human-operated-ransomware + - name: Rootkits + href: threat-protection/intelligence/rootkits-malware.md + - name: Supply chain attacks + href: threat-protection/intelligence/supply-chain-malware.md + - name: Tech support scams + href: threat-protection/intelligence/support-scams.md + - name: Trojans + href: threat-protection/intelligence/trojans-malware.md + - name: Unwanted software + href: threat-protection/intelligence/unwanted-software.md + - name: Worms + href: threat-protection/intelligence/worms-malware.md + - name: How Microsoft identifies malware and PUA + href: threat-protection/intelligence/criteria.md + - name: Submit files for analysis + href: threat-protection/intelligence/submission-guide.md + - name: Safety Scanner download + href: threat-protection/intelligence/safety-scanner-download.md + - name: Industry collaboration programs + href: threat-protection/intelligence/cybersecurity-industry-partners.md + items: + - name: Virus information alliance + href: threat-protection/intelligence/virus-information-alliance-criteria.md + - name: Microsoft virus initiative + href: threat-protection/intelligence/virus-initiative-criteria.md + - name: Coordinated malware eradication + href: threat-protection/intelligence/coordinated-malware-eradication.md + - name: Information for developers + items: + - name: Software developer FAQ + href: threat-protection/intelligence/developer-faq.yml + - name: Software developer resources + href: threat-protection/intelligence/developer-resources.md + - name: More Windows security + items: + - name: Override Process Mitigation Options to help enforce app-related security policies + href: threat-protection/override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: threat-protection/block-untrusted-fonts-in-enterprise.md + - name: Windows Information Protection (WIP) + href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md + items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: + - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md + items: + - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md + - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Create a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: + - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: + - name: Enlightened apps for use with WIP + href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md + - name: Unenlightened and enlightened app behavior while using WIP + href: information-protection/windows-information-protection/app-behavior-with-wip.md + - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP + href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md + - name: Using Outlook Web Access with WIP + href: information-protection/windows-information-protection/using-owa-with-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md +- name: Application security + items: + - name: Overview + href: apps.md + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: threat-protection/windows-sandbox/windows-sandbox-overview.md + items: + - name: Windows Sandbox architecture + href: threat-protection/windows-sandbox/windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md +- name: User security and secured identity + items: + - name: Overview + href: identity.md + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: Windows credential theft mitigation guide + href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Enterprise Certificate Pinning + href: identity-protection/enterprise-certificate-pinning.md + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md + items: + - name: How Credential Guard works + href: identity-protection/credential-guard/credential-guard-how-it-works.md + - name: Credential Guard Requirements + href: identity-protection/credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: identity-protection/credential-guard/credential-guard-manage.md + - name: Hardware readiness tool + href: identity-protection/credential-guard/dg-readiness-tool.md + - name: Credential Guard protection limits + href: identity-protection/credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: identity-protection/credential-guard/credential-guard-considerations.md + - name: "Credential Guard: Additional mitigations" + href: identity-protection/credential-guard/additional-mitigations.md + - name: "Credential Guard: Known issues" + href: identity-protection/credential-guard/credential-guard-known-issues.md + - name: Protect Remote Desktop credentials with Remote Credential Guard + href: identity-protection/remote-credential-guard.md + - name: Technical support policy for lost or forgotten passwords + href: identity-protection/password-support-policy.md + - name: Access Control Overview + href: identity-protection/access-control/access-control.md + items: + - name: Dynamic Access Control Overview + href: identity-protection/access-control/dynamic-access-control.md + - name: Security identifiers + href: identity-protection/access-control/security-identifiers.md + - name: Security Principals + href: identity-protection/access-control/security-principals.md + - name: Local Accounts + href: identity-protection/access-control/local-accounts.md + - name: Active Directory Accounts + href: identity-protection/access-control/active-directory-accounts.md + - name: Microsoft Accounts + href: identity-protection/access-control/microsoft-accounts.md + - name: Service Accounts + href: identity-protection/access-control/service-accounts.md + - name: Active Directory Security Groups + href: identity-protection/access-control/active-directory-security-groups.md + - name: Special Identities + href: identity-protection/access-control/special-identities.md + - name: User Account Control + href: identity-protection/user-account-control/user-account-control-overview.md + items: + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Smart Cards + href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md + items: + - name: How Smart Card Sign-in Works in Windows + href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md + items: + - name: Smart Card Architecture + href: identity-protection/smart-cards/smart-card-architecture.md + - name: Certificate Requirements and Enumeration + href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md + - name: Smart Card and Remote Desktop Services + href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md + - name: Smart Cards for Windows Service + href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md + - name: Certificate Propagation Service + href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md + - name: Smart Card Removal Policy Service + href: identity-protection/smart-cards/smart-card-removal-policy-service.md + - name: Smart Card Tools and Settings + href: identity-protection/smart-cards/smart-card-tools-and-settings.md + items: + - name: Smart Cards Debugging Information + href: identity-protection/smart-cards/smart-card-debugging-information.md + - name: Smart Card Group Policy and Registry Settings + href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md + - name: Smart Card Events + href: identity-protection/smart-cards/smart-card-events.md + - name: Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md + items: + - name: Understanding and Evaluating Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md + items: + - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md + - name: Use Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md + - name: Deploy Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md + - name: Evaluate Virtual Smart Card Security + href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md + - name: Tpmvscmgr + href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +- name: Cloud services + items: + - name: Overview + href: cloud.md + - name: Mobile device management + href: https://docs.microsoft.com/windows/client-management/mdm/ + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ +- name: Security foundations + items: + - name: Overview + href: security-foundations.md + - name: Microsoft Security Development Lifecycle + href: threat-protection/msft-security-dev-lifecycle.md + - name: Microsoft Bug Bounty Program + href: threat-protection/microsoft-bug-bounty-program.md + - name: FIPS 140-2 Validation + href: threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: threat-protection/windows-platform-common-criteria.md +- name: Windows Privacy + href: /windows/privacy/windows-10-and-privacy-compliance diff --git a/windows/security/apps.md b/windows/security/apps.md new file mode 100644 index 0000000000..e376d06d98 --- /dev/null +++ b/windows/security/apps.md @@ -0,0 +1,28 @@ +--- +title: Windows application security +description: Get an overview of application security in Windows 10 and Windows 11 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows application security + +Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security. + +The following table summarizes the Windows security features and capabilities for apps:

      + +| Security Measures | Features & Capabilities | +|:---|:---| +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) | +| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md) +| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | diff --git a/windows/security/cloud.md b/windows/security/cloud.md new file mode 100644 index 0000000000..7bccc2aa84 --- /dev/null +++ b/windows/security/cloud.md @@ -0,0 +1,39 @@ +--- +title: Windows and cloud security +description: Get an overview of cloud services supported in Windows 11 and Windows 10 +ms.reviewer: +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/20/2021 +ms.localizationpriority: medium +ms.custom: +f1.keywords: NOCSH +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +search.appverid: MET150 +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows and cloud security + +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. + +Windows 11 includes the cloud services that are listed in the following table:

      + +| Service type | Description | +|:---|:---| +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

      Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

      To learn more, see [Mobile device management](/windows/client-management/mdm/). | +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

      The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

      To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

      The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

      In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

      With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

      To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | + +## Next steps + +- [Learn more about MDM and Windows 11](/windows/client-management/mdm/) +- [Learn more about Windows security](index.yml) \ No newline at end of file diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md new file mode 100644 index 0000000000..7c781c1bdf --- /dev/null +++ b/windows/security/cryptography-certificate-mgmt.md @@ -0,0 +1,43 @@ +--- +title: Cryptography and Certificate Management +description: Get an overview of cryptography and certificate management in Windows +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: skhadeer, raverma +f1.keywords: NOCSH +--- + +# Cryptography and Certificate Management + + +## Cryptography + +Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. + +Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521) +- Hashing (support for SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF) + +These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +## Certificate management + +Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. + +Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 3a997cd1e9..d1a625e8bd 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -48,7 +48,7 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Microsoft 365 Security", + "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md new file mode 100644 index 0000000000..359afde71f --- /dev/null +++ b/windows/security/encryption-data-protection.md @@ -0,0 +1,54 @@ +--- +title: Encryption and data protection in Windows +description: Get an overview encryption and data protection in Windows 11 and Windows 10 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: deepakm, rafals +f1.keywords: NOCSH +--- + +# Encryption and data protection in Windows client + +When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. +Encryption and data protection features include: + +- Encrypted Hard Drive +- BitLocker + +## Encrypted Hard Drive + +Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management. +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + +Encrypted hard drives provide: + +- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system. +- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. +- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + +Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. + +## BitLocker + +BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. + +BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +Windows consistently improves data protection by improving existing options and providing new strategies. + + +## See also + +- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) +- [BitLocker](information-protection/bitlocker/bitlocker-overview.md) diff --git a/windows/security/hardware.md b/windows/security/hardware.md new file mode 100644 index 0000000000..435dd886c2 --- /dev/null +++ b/windows/security/hardware.md @@ -0,0 +1,27 @@ +--- +title: Windows hardware security +description: Get an overview of hardware security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows hardware security + +Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

      + +| Security Measures | Features & Capabilities | +|:---|:---| +| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
      A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.

      Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | +| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
      Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

      Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
      HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

      Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

      Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

      Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

      Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml deleted file mode 100644 index 5e4680879e..0000000000 --- a/windows/security/identity-protection/TOC.yml +++ /dev/null @@ -1,132 +0,0 @@ -- name: Identity and access management - href: index.md - items: - - name: Technical support policy for lost or forgotten passwords - href: password-support-policy.md - - name: Access Control Overview - href: access-control/access-control.md - items: - - name: Dynamic Access Control Overview - href: access-control/dynamic-access-control.md - - name: Security identifiers - href: access-control/security-identifiers.md - - name: Security Principals - href: access-control/security-principals.md - - name: Local Accounts - href: access-control/local-accounts.md - - name: Active Directory Accounts - href: access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: access-control/microsoft-accounts.md - - name: Service Accounts - href: access-control/service-accounts.md - - name: Active Directory Security Groups - href: access-control/active-directory-security-groups.md - - name: Special Identities - href: access-control/special-identities.md - - name: User Account Control - href: user-account-control\user-account-control-overview.md - items: - - name: How User Account Control works - href: user-account-control\how-user-account-control-works.md - - name: User Account Control security policy settings - href: user-account-control\user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md - - name: Windows Hello for Business - href: hello-for-business/index.yml - - name: Protect derived domain credentials with Credential Guard - href: credential-guard/credential-guard.md - items: - - name: How Credential Guard works - href: credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements - href: credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: credential-guard/dg-readiness-tool.md - - name: Credential Guard protection limits - href: credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" - href: credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" - href: credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard - href: remote-credential-guard.md - - name: Smart Cards - href: smart-cards/smart-card-windows-smart-card-technical-reference.md - items: - - name: How Smart Card Sign-in Works in Windows - href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: - - name: Smart Card Architecture - href: smart-cards/smart-card-architecture.md - - name: Certificate Requirements and Enumeration - href: smart-cards/smart-card-certificate-requirements-and-enumeration.md - - name: Smart Card and Remote Desktop Services - href: smart-cards/smart-card-and-remote-desktop-services.md - - name: Smart Cards for Windows Service - href: smart-cards/smart-card-smart-cards-for-windows-service.md - - name: Certificate Propagation Service - href: smart-cards/smart-card-certificate-propagation-service.md - - name: Smart Card Removal Policy Service - href: smart-cards/smart-card-removal-policy-service.md - - name: Smart Card Tools and Settings - href: smart-cards/smart-card-tools-and-settings.md - items: - - name: Smart Cards Debugging Information - href: smart-cards/smart-card-debugging-information.md - - name: Smart Card Group Policy and Registry Settings - href: smart-cards/smart-card-group-policy-and-registry-settings.md - - name: Smart Card Events - href: smart-cards/smart-card-events.md - - name: Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-overview.md - items: - - name: Understanding and Evaluating Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md - items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" - href: virtual-smart-cards\virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security - href: virtual-smart-cards\virtual-smart-card-evaluate-security.md - - name: Tpmvscmgr - href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md - - name: Enterprise Certificate Pinning - href: enterprise-certificate-pinning.md - - name: Windows 10 credential theft mitigation guide abstract - href: windows-credential-theft-mitigation-guide-abstract.md - - name: Configure S/MIME for Windows 10 - href: configure-s-mime.md - - name: VPN technical guide - href: vpn\vpn-guide.md - items: - - name: VPN connection types - href: vpn\vpn-connection-type.md - - name: VPN routing decisions - href: vpn\vpn-routing.md - - name: VPN authentication options - href: vpn\vpn-authentication.md - - name: VPN and conditional access - href: vpn\vpn-conditional-access.md - - name: VPN name resolution - href: vpn\vpn-name-resolution.md - - name: VPN auto-triggered profile options - href: vpn\vpn-auto-trigger-profile.md - - name: VPN security features - href: vpn\vpn-security-features.md - - name: VPN profile options - href: vpn\vpn-profile-options.md - - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections - href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md - - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections - href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - - name: Optimizing Office 365 traffic with the Windows 10 VPN client - href: vpn\vpn-office-365-optimization.md diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index f191ffdf77..5ac3dcc651 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -2435,6 +2435,9 @@ Members of the Performance Log Users group can manage performance counters, logs > [!WARNING] > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. + > [!NOTE] + > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group. + > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied. - Cannot use the Windows Kernel Trace event provider in Data Collector Sets. diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index f0c84a4b48..f08c30bd24 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -12,7 +12,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 10/12/2021 ms.reviewer: --- @@ -39,7 +39,7 @@ The special identity groups are described in the following tables: - [Anonymous Logon](#anonymous-logon) -- [Authenticated User](#authenticated-users) +- [Authenticated Users](#authenticated-users) - [Batch](#batch) @@ -90,7 +90,7 @@ The special identity groups are described in the following tables: Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-7 | |Object Class| Foreign Security Principal| @@ -102,11 +102,11 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-11 | |Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
      [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
      [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| ## Batch @@ -114,7 +114,7 @@ Any user who accesses the system through a sign-in process has the Authenticated Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-3 | |Object Class| Foreign Security Principal| @@ -128,7 +128,7 @@ The person who created the file or the directory is a member of this special ide A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-3-1 | |Object Class| Foreign Security Principal| @@ -140,7 +140,7 @@ A placeholder security identifier (SID) is created in an inheritable access cont The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-3-0 | |Object Class| Foreign Security Principal| @@ -152,29 +152,29 @@ The person who created the file or the directory is a member of this special ide Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-1 | |Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none|  +|Default User Rights| none| ## Digest Authentication -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-64-21 | |Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none|  +|Default User Rights| none| ## Enterprise Domain Controllers This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-9 | |Object Class| Foreign Security Principal| @@ -190,7 +190,7 @@ On computers running Windows 2000 and earlier, the Everyone group included the Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-1-0 | |Object Class| Foreign Security Principal| @@ -202,7 +202,7 @@ Membership is controlled by the operating system. Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-4 | |Object Class| Foreign Security Principal| @@ -214,7 +214,7 @@ Any user who is logged on to the local system has the Interactive identity. This The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-19 | |Object Class| Foreign Security Principal| @@ -227,7 +227,7 @@ The Local Service account is similar to an Authenticated User account. The Local This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-18 | |Object Class| Foreign Security Principal| @@ -238,7 +238,7 @@ This is a service account that is used by the operating system. The LocalSystem This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-2 | |Object Class| Foreign Security Principal| @@ -250,7 +250,7 @@ This group implicitly includes all users who are logged on through a network con The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-20 | |Object Class| Foreign Security Principal| @@ -260,7 +260,7 @@ The Network Service account is similar to an Authenticated User account. The Net ## NTLM Authentication -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-64-10 | |Object Class| Foreign Security Principal| @@ -272,7 +272,7 @@ The Network Service account is similar to an Authenticated User account. The Net This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-1000 | |Object Class| Foreign Security Principal| @@ -284,7 +284,7 @@ This group implicitly includes all users who are logged on to the system through This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-10 | |Object Class| Foreign Security Principal| @@ -296,7 +296,7 @@ This identity is a placeholder in an ACE on a user, group, or computer object in This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-14| |Object Class| Foreign Security Principal| @@ -308,7 +308,7 @@ This identity represents all users who are currently logged on to a computer by Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-12 | |Object Class| Foreign Security Principal| @@ -318,7 +318,7 @@ Users and computers with restricted capabilities have the Restricted identity. T ## SChannel Authentication -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-64-14 | |Object Class| Foreign Security Principal| @@ -331,7 +331,7 @@ Users and computers with restricted capabilities have the Restricted identity. T Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-6 | |Object Class| Foreign Security Principal| @@ -343,7 +343,7 @@ Any service that accesses the system has the Service identity. This identity gro Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-13 | |Object Class| Foreign Security Principal| @@ -353,7 +353,7 @@ Any user accessing the system through Terminal Services has the Terminal Server ## This Organization -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | S-1-5-15 | |Object Class| Foreign Security Principal| @@ -362,7 +362,7 @@ Any user accessing the system through Terminal Services has the Terminal Server ## Window Manager\\Window Manager Group -| **Attribute** | **Value** | +| Attribute | Value | | :--: | :--: | | Well-Known SID/RID | | |Object Class| | diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md deleted file mode 100644 index 9cd9f0847d..0000000000 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Change history for access protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/11/2017 -ms.reviewer: ---- - -# Change history for access protection -This topic lists new and updated topics in the [Access protection](index.md) documentation. - -## August 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.| - -## June 2017 -|New or changed topic |Description | -|---------------------|------------| -|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New | - - -## March 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| \ No newline at end of file diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9423de2923..2f95950f32 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,5 +1,5 @@ --- -title: Configure S/MIME for Windows 10 +title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.reviewer: @@ -19,16 +19,17 @@ ms.date: 07/27/2017 --- -# Configure S/MIME for Windows 10 +# Configure S/MIME for Windows **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. +S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. ## About message encryption -Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. +Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. @@ -48,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been On the device, perform the following steps: (add select certificate) -1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) +1. Open the Mail app. 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 8d3185afd9..5e6d9befec 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -22,6 +22,7 @@ ms.reviewer: - Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 ```powershell # Script to find out if a machine is Device Guard compliant. @@ -780,7 +781,7 @@ function CheckOSSKU function CheckOSArchitecture { - $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() + $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower() Log $OSArch if($OSArch -match ("^64\-?\s?bit")) { @@ -818,9 +819,9 @@ function CheckSecureBootState function CheckVirtualization { - $_vmmExtension = $(gwmi -Class Win32_processor).VMMonitorModeExtensions - $_vmFirmwareExtension = $(gwmi -Class Win32_processor).VirtualizationFirmwareEnabled - $_vmHyperVPresent = (gcim -Class Win32_ComputerSystem).HypervisorPresent + $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions + $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled + $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent Log "VMMonitorModeExtensions $_vmmExtension" Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" Log "HyperVisorPresent $_vmHyperVPresent" @@ -1046,7 +1047,7 @@ if(!$TestForAdmin) exit } -$isRunningOnVM = (get-wmiobject win32_computersystem).model +$isRunningOnVM = (Get-WmiObject win32_computersystem).model if($isRunningOnVM.Contains("Virtual")) { LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index aa4d0faa2f..8e5fd2f049 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -31,7 +31,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. -The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment). Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 80a1ca91b3..4e7d1f7942 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -50,7 +50,10 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. + +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 405b6710ad..213b9c9999 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -14,7 +14,7 @@ metadata: ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium - ms.date: 01/14/2021 + ms.date: 10/15/2021 ms.reviewer: title: Windows Hello for Business Frequently Asked Questions (FAQ) @@ -25,6 +25,10 @@ summary: | sections: - name: Ignored questions: + - question: What is Windows Hello for Business cloud trust? + answer: | + Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. @@ -71,7 +75,7 @@ sections: - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -208,7 +212,7 @@ sections: - question: Does Windows Hello for Business work with third-party federation servers? answer: | - Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

      + Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.

      | Protocol | Description | | :---: | :--- | @@ -219,4 +223,10 @@ sections: - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). \ No newline at end of file + Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). + Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. + + - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? + answer: | + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. + diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 25b4269de7..29bce3f5dc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -38,7 +38,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. >[!IMPORTANT] ->For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to reset their PIN. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. +>For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. ### Reset PIN from Settings diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 61eb44f8f8..fba0adf89f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -33,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes > Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: + - [Prepare Azure AD Connect](#prepare-azure-ad-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) @@ -42,12 +43,14 @@ Steps you will perform include: - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) ## Requirements + You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on. - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availability + The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -61,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements + All communication occurs securely over port 443. ## Prepare Azure AD Connect + Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. @@ -71,100 +76,142 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version + Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. 1. Open **Synchronization Services** from the **Azure AD Connect** folder. + 2. In the **Synchronization Service Manager**, click **Help** and then click **About**. + 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized + The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ + 2. Click **Login** and provide Azure credentials + 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** + 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. + ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account ### Create the NDES Servers global security group + The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. + 3. Right-click the **Users** container. Hover over **New** and click **Group**. + 4. Type **NDES Servers** in the **Group Name** text box. + 5. Click **OK**. ### Add the NDES server to the NDES Servers global security group + Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. + +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**. + 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account + The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. In the navigation pane, expand the node that has your domain name. Select **Users**. + 2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**. + 3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**. + 4. Click **Finish**. > [!IMPORTANT] > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object + The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Right-click **Group Policy object** and select **New**. + 4. Type **NDES Service Rights** in the name box and click **OK**. + 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**. + 6. In the navigation pane, expand **Policies** under **Computer Configuration**. + 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**. + 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. + 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object + The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Double-click the **NDES Service User Rights** Group Policy object. + 4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**. + 5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. + 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. ### Deploy the NDES Service User Rights Group Policy object + The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** + 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority + You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will - Configure the certificate authority to let Intune provide validity periods @@ -173,6 +220,7 @@ You must prepare the public key infrastructure and the issuing certificate autho - Publish certificate templates ### Configure the certificate authority to let Intune provide validity periods + When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue. > [!NOTE] @@ -181,54 +229,77 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. 1. Open an elevated command prompt and type the following command: - ``` + + ```console certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. + +1. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template + NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. + 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 5. On the **Subject** tab, select **Supply in the request**. + 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. + 7. On the **Security** tab, click **Add**. + 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. + 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template + During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. + 8. On the **Subject** tab, select **Supply in the request**. + 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. + 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. Close the console. + +11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. + +12. Close the console. ### Publish certificate templates + The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. > [!Important] @@ -237,73 +308,109 @@ The certificate authority may only issue certificates for certificate templates Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. + 5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. Close the console. ## Install and Configure the NDES Role + This section includes the following topics: -* Install the Network Device Enrollment Service Role -* Configure the NDES service account -* Configure the NDES role and Certificate Templates -* Create a Web Application Proxy for the Internal NDES URL. -* Enroll for an NDES-Intune Authentication Certificate -* Configure the Web Server Certificate for NDES -* Verify the configuration + +- Install the Network Device Enrollment Service Role +- Configure the NDES service account +- Configure the NDES role and Certificate Templates +- Create a Web Application Proxy for the Internal NDES URL. +- Enroll for an NDES-Intune Authentication Certificate +- Configure the Web Server Certificate for NDES +- Verify the configuration ### Install the Network Device Enrollment Services Role + Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. + 2. Click **Manage**. Click **Add Roles and Features**. + 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. + ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) + 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. + ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) + Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) + + ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png) + 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. + ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) + 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. + ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + 7. Click **Next** on the **Web Server Role (IIS)** page. + 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. - * **Web Server > Security > Request Filtering** - * **Web Server > Application Development > ASP.NET 3.5**. - * **Web Server > Application Development > ASP.NET 4.5**. . - * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** - * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** + + - **Web Server > Security > Request Filtering** + - **Web Server > Application Development > ASP.NET 3.5**. + - **Web Server > Application Development > ASP.NET 4.5**. . + - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** + - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** + ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) + 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. + > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) + + ![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png) ### Configure the NDES service account + This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation #### Add the NDES service account to the IIS_USRS group + Sign-in the NDES server with access equivalent to _local administrator_. 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). + 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. + 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. + 4. Close the management console. #### Register a Service Principal Name on the NDES Service account + Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. + 2. Type the following command to register the service principal name - ``` + + ```console setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: - ``` + + ```console setspn -s http/ndes.corp.contoso.com contoso\ndessvc ``` @@ -313,28 +420,43 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. ![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png) #### Configure the NDES Service account for delegation + The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** + 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. + ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) + 3. Select **Trust this user for delegation to specified services only**. + 4. Select **Use any authentication protocol**. + 5. Click **Add**. + 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. + ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. + 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. + 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. + ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates + This task configures the NDES role and the certificate templates the NDES server issues. #### Configure the NDES Role + Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] @@ -343,25 +465,40 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. + 2. On the **Credentials** page, click **Next**. + ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) + 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** + ![NDES Role Services.](images/aadjcert/ndesconfig02.png) + 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. + ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) + 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. + ![NDES CA selection.](images/aadjcert/ndesconfig04.png) + 6. On the **RA Information**, click **Next**. + 7. On the **Cryptography for NDES** page, click **Next**. + 8. Review the **Confirmation** page. Click **Configure**. + ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) -8. Click **Close** after the configuration completes. + +9. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES + A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. -* Digital Signature -* Key Encipherment -* Key Encipherment, Digital Signature + +- Digital Signature +- Key Encipherment +- Key Encipherment, Digital Signature Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. @@ -378,22 +515,30 @@ If the need arises, you can configure a signature certificate in the encryption Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. + 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. + 3. Type the following command: - ``` + + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: - ``` + + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` + 4. Type **Y** when the command asks for permission to overwrite the existing value. + 5. Close the command prompt. > [!IMPORTANT] > Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. + Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. @@ -403,110 +548,177 @@ Azure AD Application proxies are serviced by lightweight Application Proxy Conne Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. #### Download and Install the Application Proxy Connector Agent + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. + ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. + > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. + 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. + ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png) + 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. + ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png) + 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. + ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png) + 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. + ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. + 6. Click **Save**. #### Create the Azure Application Proxy + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Configure an app**. + 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. + 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. + 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). + ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) + 8. Select **Passthrough** from the **Pre Authentication** list. + 9. Select **NDES WHFB Connectors** from the **Connector Group** list. + 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. + 11. Click **Add**. + 12. Sign-out of the Azure Portal. > [!IMPORTANT] > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. ### Enroll the NDES-Intune Authentication certificate + This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. Sign-in the NDES server with access equivalent to _local administrators_. 1. Start the Local Computer **Certificate Manager** (certlm.msc). + 2. Expand the **Personal** node in the navigation pane. + 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. + 4. Click **Next** on the **Before You Begin** page. + 5. Click **Next** on the **Select Certificate Enrollment Policy** page. + 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. + 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. + 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. -9. Click **Enroll** -10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. + +10. Click **Enroll** + +11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. ### Configure the Web Server Role + This task configures the Web Server role on the NDES server to use the server authentication certificate. Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) -3. Click **Bindings...*** under **Actions**. Click **Add**. + +3. Click **Bindings...** under **Actions**. Click **Add**. + ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png) + 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. + 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. + ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png) + 6. Select **http** from the **Site Bindings** list. Click **Remove**. + 7. Click **Close** on the **Site Bindings** dialog box. + 8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration + This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. #### Disable Internet Explorer Enhanced Security Configuration + 1. Open **Server Manager**. Click **Local Server** from the navigation pane. + 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. + 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. + 4. Close **Server Manager**. #### Test the NDES web server + 1. Open **Internet Explorer**. + 2. In the navigation bar, type - ``` + + ```https https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. @@ -514,80 +726,118 @@ A web page similar to the following should appear in your web browser. If you d ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. + ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) - ## Configure Network Device Enrollment Services to work with Microsoft Intune + You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs ### Configure NDES and HTTP to support long URLs + Sign-in the NDES server with access equivalent to _local administrator_. #### Configure the Default Web Site + 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. + ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) + 4. Select **Allow unlisted file name extensions**. + 5. Select **Allow unlisted verbs**. + 6. Select **Allow high-bit characters**. + 7. Type **30000000** in **Maximum allowed content length (Bytes)**. + 8. Type **65534** in **Maximum URL length (Bytes)**. + 9. Type **65534** in **Maximum query string (Bytes)**. + 10. Click **OK**. Close **Internet Information Services (IIS) Manager**. #### Configure Parameters for HTTP.SYS + 1. Open an elevated command prompt. + 2. Run the following commands: - ``` + + ```console reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` + 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector + The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. ### Download Intune Certificate Connector + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. + 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. + ![Intune Certificate Authority.](images/aadjcert/profile01.png) + 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. + 5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. + 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. + 3. On the **Microsoft Intune** page, click **Next**. + ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) + 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. + 5. On the **Destination Folder** page, click **Next**. + 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. + ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) + 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. + ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. + 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. + ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. + ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. @@ -596,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** + ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. + ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] @@ -608,78 +860,119 @@ Sign-in the NDES server with access equivalent to _domain administrator_. ### Configure the NDES Connector for certificate revocation (**Optional**) + Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). #### Enabling the NDES Service account for revocation + Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 1. Start the **Certification Authority** management console. + 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. + 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. + ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) + 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). + 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. + ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) + 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector + Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. + 2. Type the following command to confirm the NDES Connector's last connection time is current. - ``` + + ```console reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus ``` + 3. Close the command prompt. + 4. Open **Internet Explorer**. + 5. In the navigation bar, type: - ``` + + ```console https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile ### Create an AADJ WHFB Certificate Users Group + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Click **Groups**. Click **New group**. + 4. Select **Security** from the **Group type** list. + 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. + 6. Provide a **Group description**, if applicable. + 7. Select **Assigned** from the **Membership type** list. + ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) + 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. + 9. Click **Create**. ### Create a SCEP Certificate Profile + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Select **Create Profile**. + ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) + 4. Select **Windows 10 and later** from the **Platform** list. + 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. + 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. + 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. + 8. Select **User** as a certificate type. + 9. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. + 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] @@ -687,36 +980,56 @@ Sign-in a workstation with access equivalent to a _domain user_. > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. + 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. + 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. + 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. + 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. + ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) + 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. + 18. Click **Next**. + 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Click **WHFB Certificate Enrollment**. + 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. + 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. + ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) + 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. + 7. Click **Review + Save**, and then **Save**. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. +> [!NOTE] +> The Passport for Work configuration service provider (CSP) which is used to manage Windows Hello for Business with Mobile Device Management (MDM) contains a policy called UseCertificateForOnPremAuth. This policy is not needed when deploying certificates to Windows Hello for Business users through the instructions outlined in this document and should not be configured. Devices managed with MDM where UseCertificateForOnPremAuth is enabled will fail a prerequisite check for Windows Hello for Business provisioning. This failure will block users from setting up Windows Hello for Business if they don't already have it configured. + ## Section Review + > [!div class="checklist"] -> * Requirements -> * Prepare Azure AD Connect -> * Prepare the Network Device Enrollment Services (NDES) Service Account -> * Prepare Active Directory Certificate Authority -> * Install and Configure the NDES Role -> * Configure Network Device Enrollment Services to work with Microsoft Intune -> * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) +> - Requirements +> - Prepare Azure AD Connect +> - Prepare the Network Device Enrollment Services (NDES) Service Account +> - Prepare Active Directory Certificate Authority +> - Install and Configure the NDES Role +> - Configure Network Device Enrollment Services to work with Microsoft Intune +> - Download, Install, and Configure the Intune Certificate Connector +> - Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index b4a6ed10da..b849c9ce8a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
      ## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) +1. [Overview](hello-hybrid-key-trust.md) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 3660d85201..92c2b72d61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -22,7 +22,7 @@ ms.date: 1/22/2021 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -## Cloud Only Deployment +## Azure AD Cloud Only Deployment * Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account @@ -35,37 +35,42 @@ This article lists the infrastructure requirements for the different deployment The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. -| Key trust
      Group Policy managed | Certificate trust
      Mixed managed | Key trust
      Modern managed | Certificate trust
      Modern managed | +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + +| Key trust
      Group Policy managed | Certificate trust
      Mixed managed | Key trust
      Modern managed | Certificate trust
      Modern managed | | --- | --- | --- | --- | -| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
      *Minimum:* Windows 10, version 1703
      *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
      **Azure AD Joined:**
      Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | +| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
      *Minimum:* Windows 10, version 1703
      *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
      **Azure AD Joined:**
      Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
      and
      Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | +| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
      and
      Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | +| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | > [!Important] -> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
      -> **Requirements:**
      -> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
      -> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> - Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. > -> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
      -> **Requirements:**
      -> Reset from settings - Windows 10, version 1703, Professional
      -> Reset above lock screen - Windows 10, version 1709, Professional
      -> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> +> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. +> +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments The table shows the minimum requirements for each deployment. -| Key trust
      Group Policy managed | Certificate trust
      Group Policy managed| +| Key trust
      Group Policy managed | Certificate trust
      Group Policy managed| | --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cd38c11105..33d820a1a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -70,7 +70,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello.](images/authflow.png) +:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png"::: Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. @@ -81,12 +81,19 @@ Windows Hello helps protect user identities and user credentials. Because the us ## How Windows Hello for Business works: key points - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. + - Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step. + - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. + - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. + - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. + - PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. + - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. + - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. For details, see [How Windows Hello for Business works](hello-how-it-works.md). @@ -97,6 +104,9 @@ Windows Hello for Business can use either keys (hardware or software) or certifi Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + ## Learn more [Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 617be85699..8aada054b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -74,20 +74,22 @@ The hybrid deployment model is for organizations that: - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
      -> **Requirements:**
      -> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
      -> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. +> +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
      -> **Requirements:**
      -> Reset from settings - Windows 10, version 1703, Professional
      -> Reset above lock screen - Windows 10, version 1709, Professional
      -> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. +> +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. @@ -95,6 +97,9 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index d5c9651f0f..70b89b04ee 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -1,5 +1,5 @@ --- -title: Smart Card and Remote Desktop Services (Windows 10) +title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 63cbad9b26..604f470a49 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -1,5 +1,5 @@ --- -title: Smart Card Architecture (Windows 10) +title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Architecture -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index dbcf86ee67..32f79fdf8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -1,5 +1,5 @@ --- -title: Certificate Propagation Service (Windows 10) +title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 08/24/2021 ms.reviewer: --- # Certificate Propagation Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a220e7e658..7e32d7679f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -1,5 +1,5 @@ --- -title: Certificate Requirements and Enumeration (Windows 10) +title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. @@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system. The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider. -| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** | +| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
      \[1\]CRL Distribution Point
      Distribution Point Name:
      Full Name:
      URL= | | Key usage | Digital signature | Digital signature | diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index a084d3c132..b65f0ce66c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -1,5 +1,5 @@ --- -title: Smart Card Troubleshooting (Windows 10) +title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index bb93b39cce..b8f7de6f81 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -1,5 +1,5 @@ --- -title: Smart Card Events (Windows 10) +title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Events -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 50d2b45bb2..ad5011e9b9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -1,5 +1,5 @@ --- -title: Smart Card Group Policy and Registry Settings (Windows 10) +title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows Server 2016 +Applies to: Windows 10, Windows 11, Windows Server 2016 and above This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 9939c9ec73..05d1dbf771 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,5 +1,5 @@ --- -title: How Smart Card Sign-in Works in Windows (Windows 10) +title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 3f72307e25..c52deb3971 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -1,5 +1,5 @@ --- -title: Smart Card Removal Policy Service (Windows 10) +title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,17 +12,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. -The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). +The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). **Smart card removal policy service** diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index e4548fc317..ba3e2a4c05 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -1,5 +1,5 @@ --- -title: Smart Cards for Windows Service (Windows 10) +title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. @@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description: -``` +```PowerShell Never notify< Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. @@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl ### Installer detection technology -Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. +Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. Installer detection only applies to: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 6f65b3199e..a4ae0b4d3d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control Group Policy and registry key settings (Windows 10) +title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.reviewer: **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index a95145abaa..2e221d273c 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,5 +1,5 @@ --- -title: User Account Control (Windows 10) +title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 ms.reviewer: @@ -14,14 +14,15 @@ ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 07/27/2017 +ms.date: 09/24/2011 --- # User Account Control **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. @@ -29,7 +30,7 @@ UAC allows all users to log on to their computers using a standard user account. Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account. -When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device. +When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed. ## Practical applications diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 793fe303aa..9a6cb42323 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control security policy settings (Windows 10) +title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 ms.reviewer: @@ -14,13 +14,16 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 --- # User Account Control security policy settings **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index bbb6ddc586..907bcfc24c 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,5 +1,5 @@ --- -title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: w10 ms.mktglfcycl: deploy @@ -8,16 +8,17 @@ ms.pagetype: security, networking author: dansimp ms.author: dansimp ms.localizationpriority: medium -ms.date: 02/08/2018 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections ->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10 +>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11 + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. -In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. ## VPN server @@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy ``` -On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. +On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. ```powershell Set-VpnServerIPsecConfiguration -CustomPolicy diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 21c295bad1..510a5a9e76 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,12 +1,12 @@ --- -title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10) +title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 2c0a581e8d..77824138a9 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -1,5 +1,5 @@ --- -title: VPN authentication options (Windows 10) +title: VPN authentication options (Windows 10 and Windows 11) description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). @@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods. MethodDetails EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)
      • User name and password authentication
      • Winlogon credentials - can specify authentication with computer sign-in credentials
      -EAP-Transport Layer Security (EAP-TLS)
      • Supports the following types of certificate authentication
        • Certificate with keys in the software Key Storage Provider (KSP)
        • Certificate with keys in Trusted Platform Module (TPM) KSP
        • Smart card certficates
        • Windows Hello for Business certificate
      • Certificate filtering
        • Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
        • Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
      • Server validation - with TLS, server validation can be toggled on or off
        • Server name - specify the server to validate
        • Server certificate - trusted root certificate to validate the server
        • Notification - specify if the user should get a notification asking whether to trust the server or not
      +EAP-Transport Layer Security (EAP-TLS)
      • Supports the following types of certificate authentication
        • Certificate with keys in the software Key Storage Provider (KSP)
        • Certificate with keys in Trusted Platform Module (TPM) KSP
        • Smart card certificates
        • Windows Hello for Business certificate
      • Certificate filtering
        • Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
        • Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
      • Server validation - with TLS, server validation can be toggled on or off
        • Server name - specify the server to validate
        • Server certificate - trusted root certificate to validate the server
        • Notification - specify if the user should get a notification asking whether to trust the server or not
      Protected Extensible Authentication Protocol (PEAP)
      • Server validation - with PEAP, server validation can be toggled on or off
        • Server name - specify the server to validate
        • Server certificate - trusted root certificate to validate the server
        • Notification - specify if the user should get a notification asking whether to trust the server or not
      • Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
        • EAP-MSCHAPv2
        • EAP-TLS
      • Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
      • Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
      Tunneled Transport Layer Security (TTLS)
      • Inner method
        • Non-EAP
          • Password Authentication Protocol (PAP)
          • CHAP
          • MSCHAP
          • MSCHAPv2
        • EAP
          • MSCHAPv2
          • TLS
      • Server validation: in TTLS, the server must be validated. The following can be configured:
        • Server name
        • Trusted root certificate for server certificate
        • Whether there should be a server validation notification
      @@ -62,4 +62,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 44b05da541..128afcfee9 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -1,13 +1,13 @@ --- -title: VPN auto-triggered profile options (Windows 10) -description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource. +title: VPN auto-triggered profile options (Windows 10 and Windows 11) +description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,9 +17,9 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: +In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: - App trigger - Name-based trigger @@ -31,7 +31,7 @@ In Windows 10, a number of features were added to auto-trigger VPN so users won ## App trigger -VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. +VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name. @@ -54,7 +54,7 @@ There are four types of name-based triggers: ## Always On -Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: +Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers: - User sign-in - Network change diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 66baa88e46..068d41d1a5 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -1,5 +1,5 @@ --- -title: VPN and conditional access (Windows 10) +title: VPN and conditional access (Windows 10 and Windows 11) description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps. ms.prod: w10 ms.mktglfcycl: deploy @@ -10,12 +10,12 @@ ms.author: dansimp manager: dansimp ms.reviewer: ms.localizationpriority: medium -ms.date: 03/21/2019 +ms.date: 09/23/2021 --- # VPN and conditional access ->Applies to: Windows 10 and Windows 10 Mobile +>Applies to: Windows 10 and Windows 11 The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. @@ -91,7 +91,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a VPN client. 2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies. @@ -110,6 +110,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview) - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa) - [Control the health of Windows 10-based devices](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) +- Control the health of Windows 11-based devices - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 465f79924f..90b1a56b41 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -1,5 +1,5 @@ --- -title: VPN connection types (Windows 10) +title: VPN connection types (Windows 10 and Windows 11) description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 11/13/2020 +ms.date: 08/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,11 +17,11 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. -There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. +There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. ![VPN connection types.](images/vpn-connection.png) @@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and ## Universal Windows Platform VPN plug-in -The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. +The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution. diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 51eda0028d..3f23cadc79 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,25 +1,26 @@ --- -title: Windows 10 VPN technical guide (Windows 10) -description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. +title: Windows VPN technical guide (Windows 10 and Windows 11) +description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp ms.localizationpriority: medium -ms.date: 11/13/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp --- -# Windows 10 VPN technical guide +# Windows VPN technical guide **Applies to** - Windows 10 +- Windows 11 -This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. +This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11. To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10). @@ -42,4 +43,4 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win ## Learn more -- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure) \ No newline at end of file +- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure) diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 70cec8d554..a61584597c 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -1,5 +1,5 @@ --- -title: VPN name resolution (Windows 10) +title: VPN name resolution (Windows 10 and Windows 11) description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 5c4221a574..562a872615 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -1,5 +1,5 @@ --- -title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client description: tbd ms.prod: w10 ms.mktglfcycl: deploy @@ -9,20 +9,20 @@ audience: ITPro ms.topic: article author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/07/2020 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: jajo --- -# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] -> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration). +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 and Windows 11 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration). ## Solution Overview @@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](./vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: +To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel @@ -90,13 +90,13 @@ An example of a PowerShell script that can be used to update a force tunnel VPN <# .SYNOPSIS - Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile .DESCRIPTION Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name .PARAMETERS - Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format + Filename and path for a supplied Windows 10 or Windows 11 VPN profile file in either PowerShell or XML format .NOTES Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later .VERSION @@ -430,6 +430,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") This solution is supported with the following versions of Windows: +- Windows 11 - Windows 10 1903/1909 and newer: Included, no action needed - Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) - Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 96eae8c6ac..8e683158b9 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -1,6 +1,6 @@ --- -title: VPN profile options (Windows 10) -description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. +title: VPN profile options (Windows 10 and Windows 11) +description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 ms.reviewer: manager: dansimp @@ -18,9 +18,9 @@ ms.date: 05/17/2018 **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). +Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). >[!NOTE] >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first. @@ -56,7 +56,7 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. -``` +```xml TestVpnProfile @@ -222,7 +222,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. -``` +```xml TestVpnProfile @@ -294,26 +294,38 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr Helloworld.Com - ``` ## Apply ProfileXML using Intune -After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy. +After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy. 1. Sign into the [Azure portal](https://portal.azure.com). + 2. Go to **Intune** > **Device Configuration** > **Profiles**. + 3. Click **Create Profile**. + 4. Enter a name and (optionally) a description. + 5. Choose **Windows 10 and later** as the platform. + 6. Choose **Custom** as the profile type and click **Add**. + 8. Enter a name and (optionally) a description. + 9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**. + 10. Set Data type to **String (XML file)**. + 11. Upload the profile XML file. + 12. Click **OK**. + ![Custom VPN profile.](images/custom-vpn-profile.png) + 13. Click **OK**, then **Create**. + 14. Assign the profile. @@ -332,4 +344,4 @@ After you configure the settings that you want using ProfileXML, you can apply i - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) \ No newline at end of file +- [VPN security features](vpn-security-features.md) diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index ea0cb1c3ae..5c2b3d00e1 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -title: VPN routing decisions (Windows 10) +title: VPN routing decisions (Windows 10 and Windows 10) description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index c84ab32cb0..88d9c1dfba 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,5 +1,5 @@ --- -title: VPN security features (Windows 10) +title: VPN security features (Windows 10 and Windows 11) description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/03/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,14 +17,14 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. -The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: +The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: - Core functionality: File encryption and file access blocking - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 62a4cf6cf0..3a8d6e6ed0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10) -description: Provides a summary of the Windows 10 credential theft mitigation guide. +title: Windows Credential Theft Mitigation Guide Abstract +description: Provides a summary of the Windows credential theft mitigation guide. ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a ms.reviewer: ms.prod: w10 @@ -17,12 +17,12 @@ ms.localizationpriority: medium ms.date: 04/19/2017 --- -# Windows 10 Credential Theft Mitigation Guide Abstract +# Windows Credential Theft Mitigation Guide Abstract **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). +This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets diff --git a/windows/security/identity.md b/windows/security/identity.md new file mode 100644 index 0000000000..0cfa07beba --- /dev/null +++ b/windows/security/identity.md @@ -0,0 +1,27 @@ +--- +title: Windows identity and user security +description: Get an overview of identity security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows identity and user security + +Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations. + +| Security capabilities | Description | +|:---|:---| +| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | +| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| +| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png new file mode 100644 index 0000000000..e062b0d292 Binary files /dev/null and b/windows/security/images/windows-security-app-w11.png differ diff --git a/windows/security/index.yml b/windows/security/index.yml index 4a5558a16d..debbf67a5a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,38 +1,170 @@ -### YamlMime:Hub +### YamlMime:Landing -title: Windows 10 Enterprise Security # < 60 chars -summary: Secure corporate data and manage risk. # < 160 chars -# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin -brand: windows +title: Windows security # < 60 chars +summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. # < 160 chars metadata: - title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars. - services: windows + title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required ms.prod: windows - ms.topic: hub-page # Required - ms.collection: M365-security-compliance # Optional; Remove if no collection is used. + ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 01/08/2018 #Required; mm/dd/yyyy format. - ms.localizationpriority: high + ms.date: 09/20/2021 + localization_priority: Priority + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Zero Trust and Windows + linkLists: + - linkListType: overview + links: + - text: Overview + url: zero-trust-windows-device-health.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Hardware security + linkLists: + - linkListType: overview + links: + - text: Overview + url: hardware.md + - linkListType: concept + links: + - text: Trusted Platform Module + url: information-protection/tpm/trusted-platform-module-top-node.md + - text: Windows Defender System Guard firmware protection + url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - text: System Guard Secure Launch and SMM protection enablement + url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - text: Virtualization-based protection of code integrity + url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - text: Kernel DMA Protection + url: information-protection/kernel-dma-protection-for-thunderbolt.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Operating system security + linkLists: + - linkListType: overview + links: + - text: Overview + url: operating-system.md + - linkListType: concept + links: + - text: System security + url: trusted-boot.md + - text: Encryption and data protection + url: encryption-data-protection.md + - text: Windows security baselines + url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + - text: Virtual private network guide + url: identity-protection/vpn/vpn-guide.md + - text: Windows Defender Firewall + url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - text: Virus & threat protection + url: threat-protection/index.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Application security + linkLists: + - linkListType: overview + links: + - text: Overview + url: apps.md + - linkListType: concept + links: + - text: Application Control and virtualization-based protection + url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - text: Application Control + url: threat-protection/windows-defender-application-control/windows-defender-application-control.md + - text: Application Guard + url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md + - text: Windows Sandbox + url: threat-protection/windows-sandbox/windows-sandbox-overview.md + - text: Microsoft Defender SmartScreen + url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - text: S/MIME for Windows + url: identity-protection/configure-s-mime.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: User security and secured identity + linkLists: + - linkListType: overview + links: + - text: Overview + url: identity.md + - linkListType: concept + links: + - text: Windows Hello for Business + url: identity-protection/hello-for-business/hello-overview.md + - text: Windows Credential Theft Mitigation + url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - text: Protect domain credentials + url: identity-protection/credential-guard/credential-guard.md + - text: Windows Defender Credential Guard + url: identity-protection/credential-guard/credential-guard.md + - text: Lost or forgotten passwords + url: identity-protection/password-support-policy.md + - text: Access control + url: identity-protection/access-control/access-control.md + - text: Smart cards + url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Cloud services + linkLists: + - linkListType: overview + links: + - text: Overview + url: cloud.md + - linkListType: concept + links: + - text: Mobile device management + url: https://docs.microsoft.com/windows/client-management/mdm/ + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory + - text: Your Microsoft Account + url: identity-protection/access-control/microsoft-accounts.md + - text: OneDrive + url: https://docs.microsoft.com/onedrive/onedrive + - text: Family safety + url: threat-protection/windows-defender-security-center/wdsc-family-options.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: overview + links: + - text: Overview + url: security-foundations.md + - linkListType: reference + links: + - text: Microsoft Security Development Lifecycle + url: threat-protection/msft-security-dev-lifecycle.md + - text: Microsoft Bug Bounty + url: threat-protection/microsoft-bug-bounty-program.md + - text: Common Criteria Certifications + url: threat-protection/windows-platform-common-criteria.md + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: threat-protection/fips-140-validation.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Privacy controls + linkLists: + - linkListType: reference + links: + - text: Windows and Privacy Compliance + url: /windows/privacy/windows-10-and-privacy-compliance -# productDirectory section (optional) -productDirectory: - items: - # Card - - title: Identity and access management - # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg - summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data - url: ./identity-protection/index.md - # Card - - title: Threat protection - imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg - summary: Stop cyberthreats and quickly identify and respond to breaches - url: ./threat-protection/index.md - # Card - - title: Information protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Identify and secure critical data to prevent data loss - url: ./information-protection/index.md \ No newline at end of file diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml deleted file mode 100644 index bcaa9d74d7..0000000000 --- a/windows/security/information-protection/TOC.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: Information protection - href: index.md - items: - - name: BitLocker - href: bitlocker\bitlocker-overview.md - items: - - name: Overview of BitLocker Device Encryption in Windows 10 - href: bitlocker\bitlocker-device-encryption-overview-windows-10.md - - name: BitLocker frequently asked questions (FAQ) - href: bitlocker\bitlocker-frequently-asked-questions.yml - items: - - name: Overview and requirements - href: bitlocker\bitlocker-overview-and-requirements-faq.yml - - name: Upgrading - href: bitlocker\bitlocker-upgrading-faq.yml - - name: Deployment and administration - href: bitlocker\bitlocker-deployment-and-administration-faq.yml - - name: Key management - href: bitlocker\bitlocker-key-management-faq.yml - - name: BitLocker To Go - href: bitlocker\bitlocker-to-go-faq.yml - - name: Active Directory Domain Services - href: bitlocker\bitlocker-and-adds-faq.yml - - name: Security - href: bitlocker\bitlocker-security-faq.yml - - name: BitLocker Network Unlock - href: bitlocker\bitlocker-network-unlock-faq.yml - - name: General - href: bitlocker\bitlocker-using-with-other-programs-faq.yml - - name: "Prepare your organization for BitLocker: Planning and policies" - href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md - - name: BitLocker deployment comparison - href: bitlocker\bitlocker-deployment-comparison.md - - name: BitLocker basic deployment - href: bitlocker\bitlocker-basic-deployment.md - - name: "BitLocker: How to deploy on Windows Server 2012 and later" - href: bitlocker\bitlocker-how-to-deploy-on-windows-server.md - - name: "BitLocker: Management for enterprises" - href: bitlocker\bitlocker-management-for-enterprises.md - - name: "BitLocker: How to enable Network Unlock" - href: bitlocker\bitlocker-how-to-enable-network-unlock.md - - name: "BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker" - href: bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - - name: "BitLocker: Use BitLocker Recovery Password Viewer" - href: bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md - - name: BitLocker Group Policy settings - href: bitlocker\bitlocker-group-policy-settings.md - - name: BCD settings and BitLocker - href: bitlocker\bcd-settings-and-bitlocker.md - - name: BitLocker Recovery Guide - href: bitlocker\bitlocker-recovery-guide-plan.md - - name: BitLocker Countermeasures - href: bitlocker\bitlocker-countermeasures.md - - name: Protecting cluster shared volumes and storage area networks with BitLocker - href: bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - - name: Troubleshoot BitLocker - items: - - name: Troubleshoot BitLocker - href: bitlocker\troubleshoot-bitlocker.md - - name: "BitLocker cannot encrypt a drive: known issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-issues.md - - name: "Enforcing BitLocker policies by using Intune: known issues" - href: bitlocker\ts-bitlocker-intune-issues.md - - name: "BitLocker Network Unlock: known issues" - href: bitlocker\ts-bitlocker-network-unlock-issues.md - - name: "BitLocker recovery: known issues" - href: bitlocker\ts-bitlocker-recovery-issues.md - - name: "BitLocker configuration: known issues" - href: bitlocker\ts-bitlocker-config-issues.md - - name: Troubleshoot BitLocker and TPM issues - items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md - - name: "BitLocker and TPM: other known issues" - href: bitlocker\ts-bitlocker-tpm-issues.md - - name: Decode Measured Boot logs to track PCR changes - href: bitlocker\ts-bitlocker-decode-measured-boot-logs.md - - name: Encrypted Hard Drive - href: encrypted-hard-drive.md - - name: Kernel DMA Protection - href: kernel-dma-protection-for-thunderbolt.md - - name: Protect your enterprise data using Windows Information Protection (WIP) - href: windows-information-protection\protect-enterprise-data-using-wip.md - items: - - name: Create a WIP policy using Microsoft Intune - href: windows-information-protection\overview-create-wip-policy.md - items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune - href: windows-information-protection\create-wip-policy-using-intune-azure.md - items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune - href: windows-information-protection\deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune - href: windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\overview-create-wip-policy-configmgr.md - items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\create-wip-policy-using-configmgr.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: windows-information-protection\mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: windows-information-protection\testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: windows-information-protection\limitations-with-wip.md - - name: How to collect WIP audit event logs - href: windows-information-protection\collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: windows-information-protection\guidance-and-best-practices-wip.md - items: - - name: Enlightened apps for use with WIP - href: windows-information-protection\enlightened-microsoft-apps-and-wip.md - - name: Unenlightened and enlightened app behavior while using WIP - href: windows-information-protection\app-behavior-with-wip.md - - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP - href: windows-information-protection\recommended-network-definitions-for-wip.md - - name: Using Outlook Web Access with WIP - href: windows-information-protection\using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: windows-information-protection\wip-learning.md - - name: Secure the Windows 10 boot process - href: secure-the-windows-10-boot-process.md - - name: Trusted Platform Module - href: tpm/trusted-platform-module-top-node.md - items: - - name: Trusted Platform Module Overview - href: tpm/trusted-platform-module-overview.md - - name: TPM fundamentals - href: tpm/tpm-fundamentals.md - - name: How Windows 10 uses the TPM - href: tpm/how-windows-uses-the-tpm.md - - name: TPM Group Policy settings - href: tpm/trusted-platform-module-services-group-policy-settings.md - - name: Back up the TPM recovery information to AD DS - href: tpm/backup-tpm-recovery-information-to-ad-ds.md - - name: View status, clear, or troubleshoot the TPM - href: tpm/initialize-and-configure-ownership-of-the-tpm.md - - name: Understanding PCR banks on TPM 2.0 devices - href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md - - name: TPM recommendations - href: tpm/tpm-recommendations.md diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 34a70a7698..3c10de8372 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. +> [!NOTE] +> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.   ### Default BCD validation profile @@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke ### Full list of friendly names for ignored BCD settings This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. -> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. + +> [!NOTE] +> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 5582a89d66..9a77ca4317 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

      Name

      -

      Parameters

      +

      Name

      +

      Parameters

      Add-BitLockerKeyProtector

      @@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. -> -> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index fd212875f8..bc8488a920 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index d58028caea..4f375c0d85 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -53,6 +53,7 @@ A good practice when using manage-bde is to determine the volume status on the t ```powershell manage-bde -status ``` + This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: ![Using manage-bde to check encryption status.](images/manage-bde-status.png) @@ -64,7 +65,8 @@ manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` ->**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: @@ -102,7 +104,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. ->**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. +> [!TIP] +> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: @@ -110,7 +113,8 @@ The Repair-bde command-line tool is intended for use when the operating system d - Windows does not start, or you cannot start the BitLocker recovery console. - You do not have a copy of the data that is contained on the encrypted drive. ->**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. The following limitations exist for Repair-bde: @@ -128,11 +132,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work - - -

      Name

      -

      Parameters

      + + +

      Name

      +

      Parameters

      + +

      Add-BitLockerKeyProtector

      -ADAccountOrGroup

      @@ -251,10 +257,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. + A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. + The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. ->**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. +> [!TIP] +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl` If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. @@ -274,7 +283,8 @@ By using this information, you can then remove the key protector for a specific Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` ->**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes @@ -302,11 +312,13 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` + ### Using an AD Account or Group protector in Windows PowerShell The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. ->**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes +> [!WARNING] +> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. @@ -316,13 +328,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: ->**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` ->**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> [!TIP] +> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: @@ -330,7 +344,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` ->**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. ## More information @@ -338,4 +353,4 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5- - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) \ No newline at end of file +- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index f8dc37af5a..f2ed14e623 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects To resolve this issue, follow these steps: 1. Start Registry Editor, and navigate to the following subkey: + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** 1. Delete the following entries: @@ -55,9 +56,13 @@ To resolve this issue, follow these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. + 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. + 1. Follow the instructions on the page to enter your password. + 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. + 1. The **Starting encryption** page displays the message "Access is denied." You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. @@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps: 1. At the command prompt, enter the following command: - ```cmd + ```console C:\>sc sdshow bdesvc ``` The output of this command resembles the following: - > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) + > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)` 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. @@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: - ```ps + ```powershell sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 6b1ee39717..4142982e69 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: -``` +```console \# for hex 0xc0210000 / decimal -1071579136 ‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h ‎ \# This volume is locked by BitLocker Drive Encryption. @@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur The operation produces the following call stack: -``` +```console \# Child-SP RetAddr Call Site ‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] ‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 276b174efd..9c0af342bc 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -55,7 +55,8 @@ To install the tool, follow these steps: To use TBSLogGenerator, follow these steps: -1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: +1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: + **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** This folder contains the TBSLogGenerator.exe file. @@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps: ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: - ```cmd + + ```console TBSLogGenerator.exe -LF \.log > \.txt ``` + where the variables represent the following values: - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded @@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: - ```cmd + ```console TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` @@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps: ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) -The content of this text file resembles the following. - -![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - -To find the PCR information, go to the end of the file. - + The content of this text file resembles the following. + + ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) + + To find the PCR information, go to the end of the file. + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To decode a log, run the following command: -```cmd + +```console PCPTool.exe decodelog \.log > \.xml ``` @@ -114,4 +118,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) +:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 13b4676a20..44ad76e76b 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) +:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: -``` +```console diskpart list volume ``` + ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). @@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: -```cmd +```console reagentc /info ``` + The output of this command resembles the following. ![Output of the reagentc /info command.](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: -```cmd +```console reagentc /enable ``` @@ -135,13 +137,13 @@ reagentc /enable If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: -```cmd +```console bcdedit /enum all ``` The output of this command resembles the following. -![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) +:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B To verify the BIOS mode, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) + 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. + > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -get %systemdrive% ``` @@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc To verify the Secure Boot state, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **Secure Boot State** setting is **On**, as follows: + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) + 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` +> > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index aa70c53412..110aad6465 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - ```cmd + ```console manage-bde -protectors -adbackup C: ``` @@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: -```cmd +```console Manage-bde -forcerecovery ``` @@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. + 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : - ```cmd + +1. In the Command Prompt window, run the following commands: + + ```console manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: + ``` + 1. Close the Command Prompt window. + 1. Shut down the device. + 1. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password @@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On, To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: -```cmd +```console manage-bde.exe -protectors -get : ``` @@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. + 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. + 1. Insert the USB Surface recovery image drive into the Surface device, and start the device. + 1. When you are prompted, select the following items: + 1. Your operating system language. + 1. Your keyboard layout. + 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : + ``` + In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + > [!NOTE] > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). + 1. Restart the computer. + 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] @@ -155,11 +175,15 @@ To do this, follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: 1. At the command prompt, run the following command: - ```cmd + + ```console manage-bde -unlock -recoverypassword : ``` + In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. + > [!NOTE] > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). @@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t To enable Secure Boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` + In this command, <*DriveLetter*> is the letter that is assigned to your drive. + 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. + 1. Restart the device. + 1. Open an elevated PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. + For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). + 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. + 1. Run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" + ``` #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates @@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f To suspend BitLocker while you install TPM or UEFI firmware updates: 1. Open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 + ``` + In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. + 1. Install the Surface device driver and firmware updates. + 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. + 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. + 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. + 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: exit ``` These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. + > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. + 1. Select **Continue**. Windows should start. + 1. After Windows has started, open an elevated Command Prompt window and run the following command: - ```cmd + + ```console Manage-bde -protectors -enable c: ``` @@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -disable c: -rc 1 ``` diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 45659d1cac..a13435b388 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- -title: Secure the Windows 10 boot process -description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows 10 boot process +title: Secure the Windows boot process +description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows boot process ms.prod: w10 ms.mktglfcycl: Explore ms.pagetype: security @@ -12,12 +12,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/16/2018 +ms.date: ms.reviewer: ms.author: dansimp --- -# Secure the Windows 10 boot process +# Secure the Windows boot process **Applies to:** - Windows 11 @@ -27,11 +27,11 @@ ms.author: dansimp The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. -When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. +When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you. @@ -61,7 +61,7 @@ Figure 1 shows the Windows startup process. **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** -Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. @@ -131,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources -- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) +- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md new file mode 100644 index 0000000000..310538cbee --- /dev/null +++ b/windows/security/operating-system.md @@ -0,0 +1,44 @@ +--- +title: Windows operating system security +description: Securing the operating system includes system security, encryption, network security, and threat protection. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +ms.date: 09/21/2021 +--- + +# Windows operating system security + +Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. + +Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology. + +Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.

      + +| Security Measures | Features & Capabilities | +|:---|:---| +| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

      Learn more [Secure Boot and Trusted Boot](trusted-boot.md). | +Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

      Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

      | +Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

      Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| +| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

      Learn more about [Encryption](encryption-data-protection.md). +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

      Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | +| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
      By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

      Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

      | +| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

      Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

      Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | +| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

      Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

      | +| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

      Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

      +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

      From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

      Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

      Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

      Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

      With tamper protection, malware is prevented from taking actions such as:
      - Disabling virus and threat protection
      - Disabling real-time protection
      - Turning off behavior monitoring
      - Disabling antivirus (such as IOfficeAntivirus (IOAV))
      - Disabling cloud-delivered protection
      - Removing security intelligence updates

      Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

      In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

      Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

      Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

      You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

      Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

      Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

      Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). | + diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md new file mode 100644 index 0000000000..0d118520fc --- /dev/null +++ b/windows/security/security-foundations.md @@ -0,0 +1,33 @@ +--- +title: Windows security foundations +description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows security foundations + +Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. + +Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. + +Use the links in the following table to learn more about the security foundations:

      + +| Concept | Description | +|:---|:---| +| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

      Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | +| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

      Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). | +| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

      Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).| +| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

      Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). | + + + diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml deleted file mode 100644 index ae12fde723..0000000000 --- a/windows/security/threat-protection/TOC.yml +++ /dev/null @@ -1,1410 +0,0 @@ -- name: Threat protection - href: index.md - items: - - name: Next-generation protection with Microsoft Defender Antivirus - items: - - name: Microsoft Defender Antivirus overview - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10 - - name: Evaluate Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus - - name: Configure Microsoft Defender Antivirus - items: - - name: Configure Microsoft Defender Antivirus features - href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features - - name: Use Microsoft cloud-delivered protection - href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus - items: - - name: Prevent security settings changes with tamper protection - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Enable Block at first sight - href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus - - name: Configure the cloud block timeout period - href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus - - name: Configure behavioral, heuristic, and real-time protection - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus - - name: Detect and block Potentially Unwanted Applications - href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - - name: Enable and configure always-on protection and monitoring - href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus - - name: Antivirus on Windows Server - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server - - name: Antivirus compatibility - items: - - name: Compatibility charts - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility - - name: Use limited periodic antivirus scanning - href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus - - name: Manage Microsoft Defender Antivirus in your business - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus - - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus - - name: Use Group Policy settings to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus - - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus - - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus - - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus - - name: Deploy, manage updates, and report on Microsoft Defender Antivirus - items: - - name: Preparing to deploy - href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus - - name: Deploy and enable Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus - - name: Deployment guide for VDI environments - href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus - - name: Report on antivirus protection - - name: Review protection status and alerts - href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus - - name: Troubleshoot antivirus reporting in Update Compliance - href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting - - name: Learn about the recent updates - href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus - - name: Manage protection and security intelligence updates - href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus - - name: Manage when protection updates should be downloaded and applied - href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus - - name: Manage updates for endpoints that are out of date - href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus - - name: Manage event-based forced updates - href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus - - name: Manage updates for mobile devices and VMs - href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus - - name: Customize, initiate, and review the results of scans and remediation - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Common mistakes when defining exclusions - href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus - - name: Configure scanning antivirus options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Manage scans and remediation - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - - name: Exclusions overview - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions on Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Configure scanning options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - items: - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus - items: - - name: Troubleshoot Microsoft Defender Antivirus issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus migration issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating - - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint" - href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus - - name: "Better together: Microsoft Defender Antivirus and Office 365" - href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus - - name: Hardware-based isolation - items: - - name: Hardware-based isolation evaluation - href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md - - name: Application isolation - items: - - name: Application guard overview - href: microsoft-defender-application-guard/md-app-guard-overview.md - - name: System requirements - href: microsoft-defender-application-guard/reqs-md-app-guard.md - - name: Install Microsoft Defender Application Guard - href: microsoft-defender-application-guard/install-md-app-guard.md - - name: Install Microsoft Defender Application Guard Extension - href: microsoft-defender-application-guard/md-app-guard-browser-extension.md - - name: Application control - href: windows-defender-application-control/windows-defender-application-control.md - items: - - name: Audit Application control policies - href: windows-defender-application-control/audit-windows-defender-application-control-policies.md - - name: System isolation - href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - - name: System integrity - href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md - - name: Code integrity - href: device-guard/enable-virtualization-based-protection-of-code-integrity.md - - name: Network firewall - items: - - name: Network firewall overview - href: windows-firewall/windows-firewall-with-advanced-security.md - - name: Network firewall evaluation - href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md - - name: Security intelligence - href: intelligence/index.md - items: - - name: Understand malware & other threats - href: intelligence/understanding-malware.md - items: - - name: Prevent malware infection - href: intelligence/prevent-malware-infection.md - - name: Malware names - href: intelligence/malware-naming.md - - name: Coin miners - href: intelligence/coinminer-malware.md - - name: Exploits and exploit kits - href: intelligence/exploits-malware.md - - name: Fileless threats - href: intelligence/fileless-threats.md - - name: Macro malware - href: intelligence/macro-malware.md - - name: Phishing - href: intelligence/phishing.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: intelligence/rootkits-malware.md - - name: Supply chain attacks - href: intelligence/supply-chain-malware.md - - name: Tech support scams - href: intelligence/support-scams.md - - name: Trojans - href: intelligence/trojans-malware.md - - name: Unwanted software - href: intelligence/unwanted-software.md - - name: Worms - href: intelligence/worms-malware.md - - name: How Microsoft identifies malware and PUA - href: intelligence/criteria.md - - name: Submit files for analysis - href: intelligence/submission-guide.md - - name: Safety Scanner download - href: intelligence/safety-scanner-download.md - - name: Industry collaboration programs - href: intelligence/cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: intelligence/virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: intelligence/virus-initiative-criteria.md - - name: Coordinated malware eradication - href: intelligence/coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: intelligence/developer-faq.yml - - name: Software developer resources - href: intelligence/developer-resources.md - - name: The Windows Security app - href: windows-defender-security-center/windows-defender-security-center.md - items: - - name: Customize the Windows Security app for your organization - href: windows-defender-security-center/wdsc-customize-contact-information.md - - name: Hide Windows Security app notifications - href: windows-defender-security-center/wdsc-hide-notifications.md - - name: Manage Windows Security app in Windows 10 in S mode - href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md - - name: Virus and threat protection - href: windows-defender-security-center/wdsc-virus-threat-protection.md - - name: Account protection - href: windows-defender-security-center/wdsc-account-protection.md - - name: Firewall and network protection - href: windows-defender-security-center/wdsc-firewall-network-protection.md - - name: App and browser control - href: windows-defender-security-center/wdsc-app-browser-control.md - - name: Device security - href: windows-defender-security-center/wdsc-device-security.md - - name: Device performance and health - href: windows-defender-security-center/wdsc-device-performance-health.md - items: - - name: Family options - href: windows-defender-security-center/wdsc-family-options.md - - name: Microsoft Defender SmartScreen - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: - - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md - - name: Set up and use Microsoft Defender SmartScreen on individual devices - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md - - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md - items: - - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: "Windows Defender Application Control and virtualization-based protection of code integrity" - href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Certifications - items: - - name: FIPS 140 Validations - href: fips-140-validation.md - - name: Common Criteria Certifications - href: windows-platform-common-criteria.md - - name: More Windows 10 security - items: - - name: Control the health of Windows 10-based devices - href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - - name: Mitigate threats by using Windows 10 security features - href: overview-of-threat-mitigations-in-windows-10.md - - name: Override Process Mitigation Options to help enforce app-related security policies - href: override-mitigation-options-for-app-related-security-policies.md - - name: Use Windows Event Forwarding to help with intrusion detection - href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md - - name: Block untrusted fonts in an enterprise - href: block-untrusted-fonts-in-enterprise.md - - name: Security auditing - href: auditing/security-auditing-overview.md - items: - - name: Basic security audit policies - href: auditing/basic-security-audit-policies.md - items: - - name: Create a basic audit policy for an event category - href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md - - name: Apply a basic audit policy on a file or folder - href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md - - name: View the security event log - href: auditing/view-the-security-event-log.md - - name: Basic security audit policy settings - href: auditing/basic-security-audit-policy-settings.md - items: - - name: Audit account logon events - href: auditing/basic-audit-account-logon-events.md - - name: Audit account management - href: auditing/basic-audit-account-management.md - - name: Audit directory service access - href: auditing/basic-audit-directory-service-access.md - - name: Audit logon events - href: auditing/basic-audit-logon-events.md - - name: Audit object access - href: auditing/basic-audit-object-access.md - - name: Audit policy change - href: auditing/basic-audit-policy-change.md - - name: Audit privilege use - href: auditing/basic-audit-privilege-use.md - - name: Audit process tracking - href: auditing/basic-audit-process-tracking.md - - name: Audit system events - href: auditing/basic-audit-system-events.md - - name: Advanced security audit policies - href: auditing/advanced-security-auditing.md - items: - - name: Planning and deploying advanced security audit policies - href: auditing/planning-and-deploying-advanced-security-audit-policies.md - - name: Advanced security auditing FAQ - href: auditing/advanced-security-auditing-faq.yml - items: - - name: Which editions of Windows support advanced audit policy configuration - href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md - - name: How to list XML elements in \ - href: auditing/how-to-list-xml-elements-in-eventdata.md - - name: Using advanced security auditing options to monitor dynamic access control objects - href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md - items: - - name: Monitor the central access policies that apply on a file server - href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md - - name: Monitor the use of removable storage devices - href: auditing/monitor-the-use-of-removable-storage-devices.md - - name: Monitor resource attribute definitions - href: auditing/monitor-resource-attribute-definitions.md - - name: Monitor central access policy and rule definitions - href: auditing/monitor-central-access-policy-and-rule-definitions.md - - name: Monitor user and device claims during sign-in - href: auditing/monitor-user-and-device-claims-during-sign-in.md - - name: Monitor the resource attributes on files and folders - href: auditing/monitor-the-resource-attributes-on-files-and-folders.md - - name: Monitor the central access policies associated with files and folders - href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md - - name: Monitor claim types - href: auditing/monitor-claim-types.md - - name: Advanced security audit policy settings - href: auditing/advanced-security-audit-policy-settings.md - items: - - name: Audit Credential Validation - href: auditing/audit-credential-validation.md - - name: "Event 4774 S, F: An account was mapped for logon." - href: auditing/event-4774.md - - name: "Event 4775 F: An account could not be mapped for logon." - href: auditing/event-4775.md - - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." - href: auditing/event-4776.md - - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." - href: auditing/event-4777.md - - name: Audit Kerberos Authentication Service - href: auditing/audit-kerberos-authentication-service.md - items: - - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." - href: auditing/event-4768.md - - name: "Event 4771 F: Kerberos pre-authentication failed." - href: auditing/event-4771.md - - name: "Event 4772 F: A Kerberos authentication ticket request failed." - href: auditing/event-4772.md - - name: Audit Kerberos Service Ticket Operations - href: auditing/audit-kerberos-service-ticket-operations.md - items: - - name: "Event 4769 S, F: A Kerberos service ticket was requested." - href: auditing/event-4769.md - - name: "Event 4770 S: A Kerberos service ticket was renewed." - href: auditing/event-4770.md - - name: "Event 4773 F: A Kerberos service ticket request failed." - href: auditing/event-4773.md - - name: Audit Other Account Logon Events - href: auditing/audit-other-account-logon-events.md - - name: Audit Application Group Management - href: auditing/audit-application-group-management.md - - name: Audit Computer Account Management - href: auditing/audit-computer-account-management.md - items: - - name: "Event 4741 S: A computer account was created." - href: auditing/event-4741.md - - name: "Event 4742 S: A computer account was changed." - href: auditing/event-4742.md - - name: "Event 4743 S: A computer account was deleted." - href: auditing/event-4743.md - - name: Audit Distribution Group Management - href: auditing/audit-distribution-group-management.md - items: - - name: "Event 4749 S: A security-disabled global group was created." - href: auditing/event-4749.md - - name: "Event 4750 S: A security-disabled global group was changed." - href: auditing/event-4750.md - - name: "Event 4751 S: A member was added to a security-disabled global group." - href: auditing/event-4751.md - - name: "Event 4752 S: A member was removed from a security-disabled global group." - href: auditing/event-4752.md - - name: "Event 4753 S: A security-disabled global group was deleted." - href: auditing/event-4753.md - - name: Audit Other Account Management Events - href: auditing/audit-other-account-management-events.md - items: - - name: "Event 4782 S: The password hash of an account was accessed." - href: auditing/event-4782.md - - name: "Event 4793 S: The Password Policy Checking API was called." - href: auditing/event-4793.md - - name: Audit Security Group Management - href: auditing/audit-security-group-management.md - items: - - name: "Event 4731 S: A security-enabled local group was created." - href: auditing/event-4731.md - - name: "Event 4732 S: A member was added to a security-enabled local group." - href: auditing/event-4732.md - - name: "Event 4733 S: A member was removed from a security-enabled local group." - href: auditing/event-4733.md - - name: "Event 4734 S: A security-enabled local group was deleted." - href: auditing/event-4734.md - - name: "Event 4735 S: A security-enabled local group was changed." - href: auditing/event-4735.md - - name: "Event 4764 S: A group�s type was changed." - href: auditing/event-4764.md - - name: "Event 4799 S: A security-enabled local group membership was enumerated." - href: auditing/event-4799.md - - name: Audit User Account Management - href: auditing/audit-user-account-management.md - items: - - name: "Event 4720 S: A user account was created." - href: auditing/event-4720.md - - name: "Event 4722 S: A user account was enabled." - href: auditing/event-4722.md - - name: "Event 4723 S, F: An attempt was made to change an account's password." - href: auditing/event-4723.md - - name: "Event 4724 S, F: An attempt was made to reset an account's password." - href: auditing/event-4724.md - - name: "Event 4725 S: A user account was disabled." - href: auditing/event-4725.md - - name: "Event 4726 S: A user account was deleted." - href: auditing/event-4726.md - - name: "Event 4738 S: A user account was changed." - href: auditing/event-4738.md - - name: "Event 4740 S: A user account was locked out." - href: auditing/event-4740.md - - name: "Event 4765 S: SID History was added to an account." - href: auditing/event-4765.md - - name: "Event 4766 F: An attempt to add SID History to an account failed." - href: auditing/event-4766.md - - name: "Event 4767 S: A user account was unlocked." - href: auditing/event-4767.md - - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." - href: auditing/event-4780.md - - name: "Event 4781 S: The name of an account was changed." - href: auditing/event-4781.md - - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." - href: auditing/event-4794.md - - name: "Event 4798 S: A user's local group membership was enumerated." - href: auditing/event-4798.md - - name: "Event 5376 S: Credential Manager credentials were backed up." - href: auditing/event-5376.md - - name: "Event 5377 S: Credential Manager credentials were restored from a backup." - href: auditing/event-5377.md - - name: Audit DPAPI Activity - href: auditing/audit-dpapi-activity.md - items: - - name: "Event 4692 S, F: Backup of data protection master key was attempted." - href: auditing/event-4692.md - - name: "Event 4693 S, F: Recovery of data protection master key was attempted." - href: auditing/event-4693.md - - name: "Event 4694 S, F: Protection of auditable protected data was attempted." - href: auditing/event-4694.md - - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." - href: auditing/event-4695.md - - name: Audit PNP Activity - href: auditing/audit-pnp-activity.md - items: - - name: "Event 6416 S: A new external device was recognized by the System." - href: auditing/event-6416.md - - name: "Event 6419 S: A request was made to disable a device." - href: auditing/event-6419.md - - name: "Event 6420 S: A device was disabled." - href: auditing/event-6420.md - - name: "Event 6421 S: A request was made to enable a device." - href: auditing/event-6421.md - - name: "Event 6422 S: A device was enabled." - href: auditing/event-6422.md - - name: "Event 6423 S: The installation of this device is forbidden by system policy." - href: auditing/event-6423.md - - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." - href: auditing/event-6424.md - - name: Audit Process Creation - href: auditing/audit-process-creation.md - items: - - name: "Event 4688 S: A new process has been created." - href: auditing/event-4688.md - - name: "Event 4696 S: A primary token was assigned to process." - href: auditing/event-4696.md - - name: Audit Process Termination - href: auditing/audit-process-termination.md - items: - - name: "Event 4689 S: A process has exited." - href: auditing/event-4689.md - - name: Audit RPC Events - href: auditing/audit-rpc-events.md - items: - - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." - href: auditing/event-5712.md - - name: Audit Token Right Adjusted - href: auditing/audit-token-right-adjusted.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: Audit Detailed Directory Service Replication - href: auditing/audit-detailed-directory-service-replication.md - items: - - name: "Event 4928 S, F: An Active Directory replica source naming context was established." - href: auditing/event-4928.md - - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." - href: auditing/event-4929.md - - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." - href: auditing/event-4930.md - - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." - href: auditing/event-4931.md - - name: "Event 4934 S: Attributes of an Active Directory object were replicated." - href: auditing/event-4934.md - - name: "Event 4935 F: Replication failure begins." - href: auditing/event-4935.md - - name: "Event 4936 S: Replication failure ends." - href: auditing/event-4936.md - - name: "Event 4937 S: A lingering object was removed from a replica." - href: auditing/event-4937.md - - name: Audit Directory Service Access - href: auditing/audit-directory-service-access.md - items: - - name: "Event 4662 S, F: An operation was performed on an object." - href: auditing/event-4662.md - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Directory Service Changes - href: auditing/audit-directory-service-changes.md - items: - - name: "Event 5136 S: A directory service object was modified." - href: auditing/event-5136.md - - name: "Event 5137 S: A directory service object was created." - href: auditing/event-5137.md - - name: "Event 5138 S: A directory service object was undeleted." - href: auditing/event-5138.md - - name: "Event 5139 S: A directory service object was moved." - href: auditing/event-5139.md - - name: "Event 5141 S: A directory service object was deleted." - href: auditing/event-5141.md - - name: Audit Directory Service Replication - href: auditing/audit-directory-service-replication.md - items: - - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." - href: auditing/event-4932.md - - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." - href: auditing/event-4933.md - - name: Audit Account Lockout - href: auditing/audit-account-lockout.md - items: - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: Audit User/Device Claims - href: auditing/audit-user-device-claims.md - items: - - name: "Event 4626 S: User/Device claims information." - href: auditing/event-4626.md - - name: Audit Group Membership - href: auditing/audit-group-membership.md - items: - - name: "Event 4627 S: Group membership information." - href: auditing/event-4627.md - - name: Audit IPsec Extended Mode - href: auditing/audit-ipsec-extended-mode.md - - name: Audit IPsec Main Mode - href: auditing/audit-ipsec-main-mode.md - - name: Audit IPsec Quick Mode - href: auditing/audit-ipsec-quick-mode.md - - name: Audit Logoff - href: auditing/audit-logoff.md - items: - - name: "Event 4634 S: An account was logged off." - href: auditing/event-4634.md - - name: "Event 4647 S: User initiated logoff." - href: auditing/event-4647.md - - name: Audit Logon - href: auditing/audit-logon.md - items: - - name: "Event 4624 S: An account was successfully logged on." - href: auditing/event-4624.md - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: "Event 4648 S: A logon was attempted using explicit credentials." - href: auditing/event-4648.md - - name: "Event 4675 S: SIDs were filtered." - href: auditing/event-4675.md - - name: Audit Network Policy Server - href: auditing/audit-network-policy-server.md - - name: Audit Other Logon/Logoff Events - href: auditing/audit-other-logonlogoff-events.md - items: - - name: "Event 4649 S: A replay attack was detected." - href: auditing/event-4649.md - - name: "Event 4778 S: A session was reconnected to a Window Station." - href: auditing/event-4778.md - - name: "Event 4779 S: A session was disconnected from a Window Station." - href: auditing/event-4779.md - - name: "Event 4800 S: The workstation was locked." - href: auditing/event-4800.md - - name: "Event 4801 S: The workstation was unlocked." - href: auditing/event-4801.md - - name: "Event 4802 S: The screen saver was invoked." - href: auditing/event-4802.md - - name: "Event 4803 S: The screen saver was dismissed." - href: auditing/event-4803.md - - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." - href: auditing/event-5378.md - - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." - href: auditing/event-5632.md - - name: "Event 5633 S, F: A request was made to authenticate to a wired network." - href: auditing/event-5633.md - - name: Audit Special Logon - href: auditing/audit-special-logon.md - items: - - name: "Event 4964 S: Special groups have been assigned to a new logon." - href: auditing/event-4964.md - - name: "Event 4672 S: Special privileges assigned to new logon." - href: auditing/event-4672.md - - name: Audit Application Generated - href: auditing/audit-application-generated.md - - name: Audit Certification Services - href: auditing/audit-certification-services.md - - name: Audit Detailed File Share - href: auditing/audit-detailed-file-share.md - items: - - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." - href: auditing/event-5145.md - - name: Audit File Share - href: auditing/audit-file-share.md - items: - - name: "Event 5140 S, F: A network share object was accessed." - href: auditing/event-5140.md - - name: "Event 5142 S: A network share object was added." - href: auditing/event-5142.md - - name: "Event 5143 S: A network share object was modified." - href: auditing/event-5143.md - - name: "Event 5144 S: A network share object was deleted." - href: auditing/event-5144.md - - name: "Event 5168 F: SPN check for SMB/SMB2 failed." - href: auditing/event-5168.md - - name: Audit File System - href: auditing/audit-file-system.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4664 S: An attempt was made to create a hard link." - href: auditing/event-4664.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: "Event 5051: A file was virtualized." - href: auditing/event-5051.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Filtering Platform Connection - href: auditing/audit-filtering-platform-connection.md - items: - - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." - href: auditing/event-5031.md - - name: "Event 5150: The Windows Filtering Platform blocked a packet." - href: auditing/event-5150.md - - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5151.md - - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." - href: auditing/event-5154.md - - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." - href: auditing/event-5155.md - - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." - href: auditing/event-5156.md - - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." - href: auditing/event-5157.md - - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." - href: auditing/event-5158.md - - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." - href: auditing/event-5159.md - - name: Audit Filtering Platform Packet Drop - href: auditing/audit-filtering-platform-packet-drop.md - items: - - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." - href: auditing/event-5152.md - - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5153.md - - name: Audit Handle Manipulation - href: auditing/audit-handle-manipulation.md - items: - - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." - href: auditing/event-4690.md - - name: Audit Kernel Object - href: auditing/audit-kernel-object.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: Audit Other Object Access Events - href: auditing/audit-other-object-access-events.md - items: - - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." - href: auditing/event-4671.md - - name: "Event 4691 S: Indirect access to an object was requested." - href: auditing/event-4691.md - - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." - href: auditing/event-5148.md - - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." - href: auditing/event-5149.md - - name: "Event 4698 S: A scheduled task was created." - href: auditing/event-4698.md - - name: "Event 4699 S: A scheduled task was deleted." - href: auditing/event-4699.md - - name: "Event 4700 S: A scheduled task was enabled." - href: auditing/event-4700.md - - name: "Event 4701 S: A scheduled task was disabled." - href: auditing/event-4701.md - - name: "Event 4702 S: A scheduled task was updated." - href: auditing/event-4702.md - - name: "Event 5888 S: An object in the COM+ Catalog was modified." - href: auditing/event-5888.md - - name: "Event 5889 S: An object was deleted from the COM+ Catalog." - href: auditing/event-5889.md - - name: "Event 5890 S: An object was added to the COM+ Catalog." - href: auditing/event-5890.md - - name: Audit Registry - href: auditing/audit-registry.md - items: - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4657 S: A registry value was modified." - href: auditing/event-4657.md - - name: "Event 5039: A registry key was virtualized." - href: auditing/event-5039.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Removable Storage - href: auditing/audit-removable-storage.md - - name: Audit SAM - href: auditing/audit-sam.md - items: - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Central Access Policy Staging - href: auditing/audit-central-access-policy-staging.md - items: - - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." - href: auditing/event-4818.md - - name: Audit Audit Policy Change - href: auditing/audit-audit-policy-change.md - items: - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4715 S: The audit policy, SACL, on an object was changed." - href: auditing/event-4715.md - - name: "Event 4719 S: System audit policy was changed." - href: auditing/event-4719.md - - name: "Event 4817 S: Auditing settings on object were changed." - href: auditing/event-4817.md - - name: "Event 4902 S: The Per-user audit policy table was created." - href: auditing/event-4902.md - - name: "Event 4906 S: The CrashOnAuditFail value has changed." - href: auditing/event-4906.md - - name: "Event 4907 S: Auditing settings on object were changed." - href: auditing/event-4907.md - - name: "Event 4908 S: Special Groups Logon table modified." - href: auditing/event-4908.md - - name: "Event 4912 S: Per User Audit Policy was changed." - href: auditing/event-4912.md - - name: "Event 4904 S: An attempt was made to register a security event source." - href: auditing/event-4904.md - - name: "Event 4905 S: An attempt was made to unregister a security event source." - href: auditing/event-4905.md - - name: Audit Authentication Policy Change - href: auditing/audit-authentication-policy-change.md - items: - - name: "Event 4706 S: A new trust was created to a domain." - href: auditing/event-4706.md - - name: "Event 4707 S: A trust to a domain was removed." - href: auditing/event-4707.md - - name: "Event 4716 S: Trusted domain information was modified." - href: auditing/event-4716.md - - name: "Event 4713 S: Kerberos policy was changed." - href: auditing/event-4713.md - - name: "Event 4717 S: System security access was granted to an account." - href: auditing/event-4717.md - - name: "Event 4718 S: System security access was removed from an account." - href: auditing/event-4718.md - - name: "Event 4739 S: Domain Policy was changed." - href: auditing/event-4739.md - - name: "Event 4864 S: A namespace collision was detected." - href: auditing/event-4864.md - - name: "Event 4865 S: A trusted forest information entry was added." - href: auditing/event-4865.md - - name: "Event 4866 S: A trusted forest information entry was removed." - href: auditing/event-4866.md - - name: "Event 4867 S: A trusted forest information entry was modified." - href: auditing/event-4867.md - - name: Audit Authorization Policy Change - href: auditing/audit-authorization-policy-change.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: "Event 4704 S: A user right was assigned." - href: auditing/event-4704.md - - name: "Event 4705 S: A user right was removed." - href: auditing/event-4705.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4911 S: Resource attributes of the object were changed." - href: auditing/event-4911.md - - name: "Event 4913 S: Central Access Policy on the object was changed." - href: auditing/event-4913.md - - name: Audit Filtering Platform Policy Change - href: auditing/audit-filtering-platform-policy-change.md - - name: Audit MPSSVC Rule-Level Policy Change - href: auditing/audit-mpssvc-rule-level-policy-change.md - items: - - name: "Event 4944 S: The following policy was active when the Windows Firewall started." - href: auditing/event-4944.md - - name: "Event 4945 S: A rule was listed when the Windows Firewall started." - href: auditing/event-4945.md - - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." - href: auditing/event-4946.md - - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." - href: auditing/event-4947.md - - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." - href: auditing/event-4948.md - - name: "Event 4949 S: Windows Firewall settings were restored to the default values." - href: auditing/event-4949.md - - name: "Event 4950 S: A Windows Firewall setting has changed." - href: auditing/event-4950.md - - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." - href: auditing/event-4951.md - - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." - href: auditing/event-4952.md - - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." - href: auditing/event-4953.md - - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." - href: auditing/event-4954.md - - name: "Event 4956 S: Windows Firewall has changed the active profile." - href: auditing/event-4956.md - - name: "Event 4957 F: Windows Firewall did not apply the following rule." - href: auditing/event-4957.md - - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." - href: auditing/event-4958.md - - name: Audit Other Policy Change Events - href: auditing/audit-other-policy-change-events.md - items: - - name: "Event 4714 S: Encrypted data recovery policy was changed." - href: auditing/event-4714.md - - name: "Event 4819 S: Central Access Policies on the machine have been changed." - href: auditing/event-4819.md - - name: "Event 4826 S: Boot Configuration Data loaded." - href: auditing/event-4826.md - - name: "Event 4909: The local policy settings for the TBS were changed." - href: auditing/event-4909.md - - name: "Event 4910: The group policy settings for the TBS were changed." - href: auditing/event-4910.md - - name: "Event 5063 S, F: A cryptographic provider operation was attempted." - href: auditing/event-5063.md - - name: "Event 5064 S, F: A cryptographic context operation was attempted." - href: auditing/event-5064.md - - name: "Event 5065 S, F: A cryptographic context modification was attempted." - href: auditing/event-5065.md - - name: "Event 5066 S, F: A cryptographic function operation was attempted." - href: auditing/event-5066.md - - name: "Event 5067 S, F: A cryptographic function modification was attempted." - href: auditing/event-5067.md - - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." - href: auditing/event-5068.md - - name: "Event 5069 S, F: A cryptographic function property operation was attempted." - href: auditing/event-5069.md - - name: "Event 5070 S, F: A cryptographic function property modification was attempted." - href: auditing/event-5070.md - - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." - href: auditing/event-5447.md - - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." - href: auditing/event-6144.md - - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." - href: auditing/event-6145.md - - name: Audit Sensitive Privilege Use - href: auditing/audit-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Non Sensitive Privilege Use - href: auditing/audit-non-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Other Privilege Use Events - href: auditing/audit-other-privilege-use-events.md - items: - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit IPsec Driver - href: auditing/audit-ipsec-driver.md - - name: Audit Other System Events - href: auditing/audit-other-system-events.md - items: - - name: "Event 5024 S: The Windows Firewall Service has started successfully." - href: auditing/event-5024.md - - name: "Event 5025 S: The Windows Firewall Service has been stopped." - href: auditing/event-5025.md - - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." - href: auditing/event-5027.md - - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." - href: auditing/event-5028.md - - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." - href: auditing/event-5029.md - - name: "Event 5030 F: The Windows Firewall Service failed to start." - href: auditing/event-5030.md - - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." - href: auditing/event-5032.md - - name: "Event 5033 S: The Windows Firewall Driver has started successfully." - href: auditing/event-5033.md - - name: "Event 5034 S: The Windows Firewall Driver was stopped." - href: auditing/event-5034.md - - name: "Event 5035 F: The Windows Firewall Driver failed to start." - href: auditing/event-5035.md - - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." - href: auditing/event-5037.md - - name: "Event 5058 S, F: Key file operation." - href: auditing/event-5058.md - - name: "Event 5059 S, F: Key migration operation." - href: auditing/event-5059.md - - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." - href: auditing/event-6400.md - - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." - href: auditing/event-6401.md - - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." - href: auditing/event-6402.md - - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." - href: auditing/event-6403.md - - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." - href: auditing/event-6404.md - - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." - href: auditing/event-6405.md - - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." - href: auditing/event-6406.md - - name: "Event 6407: 1%." - href: auditing/event-6407.md - - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." - href: auditing/event-6408.md - - name: "Event 6409: BranchCache: A service connection point object could not be parsed." - href: auditing/event-6409.md - - name: Audit Security State Change - href: auditing/audit-security-state-change.md - items: - - name: "Event 4608 S: Windows is starting up." - href: auditing/event-4608.md - - name: "Event 4616 S: The system time was changed." - href: auditing/event-4616.md - - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." - href: auditing/event-4621.md - - name: Audit Security System Extension - href: auditing/audit-security-system-extension.md - items: - - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." - href: auditing/event-4610.md - - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." - href: auditing/event-4611.md - - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." - href: auditing/event-4614.md - - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." - href: auditing/event-4622.md - - name: "Event 4697 S: A service was installed in the system." - href: auditing/event-4697.md - - name: Audit System Integrity - href: auditing/audit-system-integrity.md - items: - - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." - href: auditing/event-4612.md - - name: "Event 4615 S: Invalid use of LPC port." - href: auditing/event-4615.md - - name: "Event 4618 S: A monitored security event pattern has occurred." - href: auditing/event-4618.md - - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." - href: auditing/event-4816.md - - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." - href: auditing/event-5038.md - - name: "Event 5056 S: A cryptographic self-test was performed." - href: auditing/event-5056.md - - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." - href: auditing/event-5062.md - - name: "Event 5057 F: A cryptographic primitive operation failed." - href: auditing/event-5057.md - - name: "Event 5060 F: Verification operation failed." - href: auditing/event-5060.md - - name: "Event 5061 S, F: Cryptographic operation." - href: auditing/event-5061.md - - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." - href: auditing/event-6281.md - - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." - href: auditing/event-6410.md - - name: Other Events - href: auditing/other-events.md - items: - - name: "Event 1100 S: The event logging service has shut down." - href: auditing/event-1100.md - - name: "Event 1102 S: The audit log was cleared." - href: auditing/event-1102.md - - name: "Event 1104 S: The security log is now full." - href: auditing/event-1104.md - - name: "Event 1105 S: Event log automatic backup." - href: auditing/event-1105.md - - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." - href: auditing/event-1108.md - - name: "Appendix A: Security monitoring recommendations for many audit events" - href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md - - name: Registry (Global Object Access Auditing) - href: auditing/registry-global-object-access-auditing.md - - name: File System (Global Object Access Auditing) - href: auditing/file-system-global-object-access-auditing.md - - name: Security policy settings - href: security-policy-settings/security-policy-settings.md - items: - - name: Administer security policy settings - href: security-policy-settings/administer-security-policy-settings.md - items: - - name: Network List Manager policies - href: security-policy-settings/network-list-manager-policies.md - - name: Configure security policy settings - href: security-policy-settings/how-to-configure-security-policy-settings.md - - name: Security policy settings reference - href: security-policy-settings/security-policy-settings-reference.md - items: - - name: Account Policies - href: security-policy-settings/account-policies.md - items: - - name: Password Policy - href: security-policy-settings/password-policy.md - items: - - name: Enforce password history - href: security-policy-settings/enforce-password-history.md - - name: Maximum password age - href: security-policy-settings/maximum-password-age.md - - name: Minimum password age - href: security-policy-settings/minimum-password-age.md - - name: Minimum password length - href: security-policy-settings/minimum-password-length.md - - name: Password must meet complexity requirements - href: security-policy-settings/password-must-meet-complexity-requirements.md - - name: Store passwords using reversible encryption - href: security-policy-settings/store-passwords-using-reversible-encryption.md - - name: Account Lockout Policy - href: security-policy-settings/account-lockout-policy.md - items: - - name: Account lockout duration - href: security-policy-settings/account-lockout-duration.md - - name: Account lockout threshold - href: security-policy-settings/account-lockout-threshold.md - - name: Reset account lockout counter after - href: security-policy-settings/reset-account-lockout-counter-after.md - - name: Kerberos Policy - href: security-policy-settings/kerberos-policy.md - items: - - name: Enforce user logon restrictions - href: security-policy-settings/enforce-user-logon-restrictions.md - - name: Maximum lifetime for service ticket - href: security-policy-settings/maximum-lifetime-for-service-ticket.md - - name: Maximum lifetime for user ticket - href: security-policy-settings/maximum-lifetime-for-user-ticket.md - - name: Maximum lifetime for user ticket renewal - href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md - - name: Maximum tolerance for computer clock synchronization - href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md - - name: Audit Policy - href: security-policy-settings/audit-policy.md - - name: Security Options - href: security-policy-settings/security-options.md - items: - - name: "Accounts: Administrator account status" - href: security-policy-settings/accounts-administrator-account-status.md - - name: "Accounts: Block Microsoft accounts" - href: security-policy-settings/accounts-block-microsoft-accounts.md - - name: "Accounts: Guest account status" - href: security-policy-settings/accounts-guest-account-status.md - - name: "Accounts: Limit local account use of blank passwords to console logon only" - href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md - - name: "Accounts: Rename administrator account" - href: security-policy-settings/accounts-rename-administrator-account.md - - name: "Accounts: Rename guest account" - href: security-policy-settings/accounts-rename-guest-account.md - - name: "Audit: Audit the access of global system objects" - href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md - - name: "Audit: Audit the use of Backup and Restore privilege" - href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md - - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md - - name: "Audit: Shut down system immediately if unable to log security audits" - href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md - - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "Devices: Allow undock without having to log on" - href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md - - name: "Devices: Allowed to format and eject removable media" - href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md - - name: "Devices: Prevent users from installing printer drivers" - href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md - - name: "Devices: Restrict CD-ROM access to locally logged-on user only" - href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md - - name: "Devices: Restrict floppy access to locally logged-on user only" - href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md - - name: "Domain controller: Allow server operators to schedule tasks" - href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md - - name: "Domain controller: LDAP server signing requirements" - href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md - - name: "Domain controller: Refuse machine account password changes" - href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md - - name: "Domain member: Digitally encrypt or sign secure channel data (always)" - href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md - - name: "Domain member: Digitally encrypt secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md - - name: "Domain member: Digitally sign secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md - - name: "Domain member: Disable machine account password changes" - href: security-policy-settings/domain-member-disable-machine-account-password-changes.md - - name: "Domain member: Maximum machine account password age" - href: security-policy-settings/domain-member-maximum-machine-account-password-age.md - - name: "Domain member: Require strong (Windows 2000 or later) session key" - href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md - - name: "Interactive logon: Display user information when the session is locked" - href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md - - name: "Interactive logon: Don't display last signed-in" - href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md - - name: "Interactive logon: Don't display username at sign-in" - href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md - - name: "Interactive logon: Do not require CTRL+ALT+DEL" - href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md - - name: "Interactive logon: Machine account lockout threshold" - href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md - - name: "Interactive logon: Machine inactivity limit" - href: security-policy-settings/interactive-logon-machine-inactivity-limit.md - - name: "Interactive logon: Message text for users attempting to log on" - href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md - - name: "Interactive logon: Message title for users attempting to log on" - href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md - - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" - href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md - - name: "Interactive logon: Prompt user to change password before expiration" - href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md - - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" - href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md - - name: "Interactive logon: Require smart card" - href: security-policy-settings/interactive-logon-require-smart-card.md - - name: "Interactive logon: Smart card removal behavior" - href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md - - name: "Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md - - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" - href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md - - name: "Microsoft network server: Amount of idle time required before suspending session" - href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md - - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" - href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md - - name: "Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md - - name: "Microsoft network server: Disconnect clients when logon hours expire" - href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md - - name: "Microsoft network server: Server SPN target name validation level" - href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md - - name: "Network access: Allow anonymous SID/Name translation" - href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md - - name: "Network access: Do not allow storage of passwords and credentials for network authentication" - href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md - - name: "Network access: Let Everyone permissions apply to anonymous users" - href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md - - name: "Network access: Named Pipes that can be accessed anonymously" - href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md - - name: "Network access: Remotely accessible registry paths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths.md - - name: "Network access: Remotely accessible registry paths and subpaths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md - - name: "Network access: Restrict anonymous access to Named Pipes and Shares" - href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md - - name: "Network access: Restrict clients allowed to make remote calls to SAM" - href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md - - name: "Network access: Shares that can be accessed anonymously" - href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md - - name: "Network access: Sharing and security model for local accounts" - href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md - - name: "Network security: Allow Local System to use computer identity for NTLM" - href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md - - name: "Network security: Allow LocalSystem NULL session fallback" - href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md - - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" - href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md - - name: "Network security: Configure encryption types allowed for Kerberos" - href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md - - name: "Network security: Do not store LAN Manager hash value on next password change" - href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md - - name: "Network security: Force logoff when logon hours expire" - href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md - - name: "Network security: LAN Manager authentication level" - href: security-policy-settings/network-security-lan-manager-authentication-level.md - - name: "Network security: LDAP client signing requirements" - href: security-policy-settings/network-security-ldap-client-signing-requirements.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md - - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" - href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md - - name: "Network security: Restrict NTLM: Add server exceptions in this domain" - href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md - - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" - href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md - - name: "Recovery console: Allow automatic administrative logon" - href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md - - name: "Recovery console: Allow floppy copy and access to all drives and folders" - href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md - - name: "Shutdown: Allow system to be shut down without having to log on" - href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md - - name: "Shutdown: Clear virtual memory pagefile" - href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md - - name: "System cryptography: Force strong key protection for user keys stored on the computer" - href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md - - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" - href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md - - name: "System objects: Require case insensitivity for non-Windows subsystems" - href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md - - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" - href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md - - name: "System settings: Optional subsystems" - href: security-policy-settings/system-settings-optional-subsystems.md - - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" - href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md - - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" - href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md - - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md - - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md - - name: "User Account Control: Behavior of the elevation prompt for standard users" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md - - name: "User Account Control: Detect application installations and prompt for elevation" - href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md - - name: "User Account Control: Only elevate executables that are signed and validated" - href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md - - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" - href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md - - name: "User Account Control: Run all administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md - - name: "User Account Control: Switch to the secure desktop when prompting for elevation" - href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md - - name: "User Account Control: Virtualize file and registry write failures to per-user locations" - href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md - - name: Advanced security audit policy settings - href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md - - name: User Rights Assignment - href: security-policy-settings/user-rights-assignment.md - items: - - name: Access Credential Manager as a trusted caller - href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md - - name: Access this computer from the network - href: security-policy-settings/access-this-computer-from-the-network.md - - name: Act as part of the operating system - href: security-policy-settings/act-as-part-of-the-operating-system.md - - name: Add workstations to domain - href: security-policy-settings/add-workstations-to-domain.md - - name: Adjust memory quotas for a process - href: security-policy-settings/adjust-memory-quotas-for-a-process.md - - name: Allow log on locally - href: security-policy-settings/allow-log-on-locally.md - - name: Allow log on through Remote Desktop Services - href: security-policy-settings/allow-log-on-through-remote-desktop-services.md - - name: Back up files and directories - href: security-policy-settings/back-up-files-and-directories.md - - name: Bypass traverse checking - href: security-policy-settings/bypass-traverse-checking.md - - name: Change the system time - href: security-policy-settings/change-the-system-time.md - - name: Change the time zone - href: security-policy-settings/change-the-time-zone.md - - name: Create a pagefile - href: security-policy-settings/create-a-pagefile.md - - name: Create a token object - href: security-policy-settings/create-a-token-object.md - - name: Create global objects - href: security-policy-settings/create-global-objects.md - - name: Create permanent shared objects - href: security-policy-settings/create-permanent-shared-objects.md - - name: Create symbolic links - href: security-policy-settings/create-symbolic-links.md - - name: Debug programs - href: security-policy-settings/debug-programs.md - - name: Deny access to this computer from the network - href: security-policy-settings/deny-access-to-this-computer-from-the-network.md - - name: Deny log on as a batch job - href: security-policy-settings/deny-log-on-as-a-batch-job.md - - name: Deny log on as a service - href: security-policy-settings/deny-log-on-as-a-service.md - - name: Deny log on locally - href: security-policy-settings/deny-log-on-locally.md - - name: Deny log on through Remote Desktop Services - href: security-policy-settings/deny-log-on-through-remote-desktop-services.md - - name: Enable computer and user accounts to be trusted for delegation - href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md - - name: Force shutdown from a remote system - href: security-policy-settings/force-shutdown-from-a-remote-system.md - - name: Generate security audits - href: security-policy-settings/generate-security-audits.md - - name: Impersonate a client after authentication - href: security-policy-settings/impersonate-a-client-after-authentication.md - - name: Increase a process working set - href: security-policy-settings/increase-a-process-working-set.md - - name: Increase scheduling priority - href: security-policy-settings/increase-scheduling-priority.md - - name: Load and unload device drivers - href: security-policy-settings/load-and-unload-device-drivers.md - - name: Lock pages in memory - href: security-policy-settings/lock-pages-in-memory.md - - name: Log on as a batch job - href: security-policy-settings/log-on-as-a-batch-job.md - - name: Log on as a service - href: security-policy-settings/log-on-as-a-service.md - - name: Manage auditing and security log - href: security-policy-settings/manage-auditing-and-security-log.md - - name: Modify an object label - href: security-policy-settings/modify-an-object-label.md - - name: Modify firmware environment values - href: security-policy-settings/modify-firmware-environment-values.md - - name: Perform volume maintenance tasks - href: security-policy-settings/perform-volume-maintenance-tasks.md - - name: Profile single process - href: security-policy-settings/profile-single-process.md - - name: Profile system performance - href: security-policy-settings/profile-system-performance.md - - name: Remove computer from docking station - href: security-policy-settings/remove-computer-from-docking-station.md - - name: Replace a process level token - href: security-policy-settings/replace-a-process-level-token.md - - name: Restore files and directories - href: security-policy-settings/restore-files-and-directories.md - - name: Shut down the system - href: security-policy-settings/shut-down-the-system.md - - name: Synchronize directory service data - href: security-policy-settings/synchronize-directory-service-data.md - - name: Take ownership of files or other objects - href: security-policy-settings/take-ownership-of-files-or-other-objects.md - - name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: windows-security-configuration-framework/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml new file mode 100644 index 0000000000..4f122c5d8e --- /dev/null +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -0,0 +1,767 @@ + - name: Security auditing + href: security-auditing-overview.md + items: + - name: Basic security audit policies + href: basic-security-audit-policies.md + items: + - name: Create a basic audit policy for an event category + href: create-a-basic-audit-policy-settings-for-an-event-category.md + - name: Apply a basic audit policy on a file or folder + href: apply-a-basic-audit-policy-on-a-file-or-folder.md + - name: View the security event log + href: view-the-security-event-log.md + - name: Basic security audit policy settings + href: basic-security-audit-policy-settings.md + items: + - name: Audit account logon events + href: basic-audit-account-logon-events.md + - name: Audit account management + href: basic-audit-account-management.md + - name: Audit directory service access + href: basic-audit-directory-service-access.md + - name: Audit logon events + href: basic-audit-logon-events.md + - name: Audit object access + href: basic-audit-object-access.md + - name: Audit policy change + href: basic-audit-policy-change.md + - name: Audit privilege use + href: basic-audit-privilege-use.md + - name: Audit process tracking + href: basic-audit-process-tracking.md + - name: Audit system events + href: basic-audit-system-events.md + - name: Advanced security audit policies + href: advanced-security-auditing.md + items: + - name: Planning and deploying advanced security audit policies + href: planning-and-deploying-advanced-security-audit-policies.md + - name: Advanced security auditing FAQ + href: advanced-security-auditing-faq.yml + items: + - name: Which editions of Windows support advanced audit policy configuration + href: which-editions-of-windows-support-advanced-audit-policy-configuration.md + - name: How to list XML elements in \ + href: how-to-list-xml-elements-in-eventdata.md + - name: Using advanced security auditing options to monitor dynamic access control objects + href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md + items: + - name: Monitor the central access policies that apply on a file server + href: monitor-the-central-access-policies-that-apply-on-a-file-server.md + - name: Monitor the use of removable storage devices + href: monitor-the-use-of-removable-storage-devices.md + - name: Monitor resource attribute definitions + href: monitor-resource-attribute-definitions.md + - name: Monitor central access policy and rule definitions + href: monitor-central-access-policy-and-rule-definitions.md + - name: Monitor user and device claims during sign-in + href: monitor-user-and-device-claims-during-sign-in.md + - name: Monitor the resource attributes on files and folders + href: monitor-the-resource-attributes-on-files-and-folders.md + - name: Monitor the central access policies associated with files and folders + href: monitor-the-central-access-policies-associated-with-files-and-folders.md + - name: Monitor claim types + href: monitor-claim-types.md + - name: Advanced security audit policy settings + href: advanced-security-audit-policy-settings.md + items: + - name: Audit Credential Validation + href: audit-credential-validation.md + - name: "Event 4774 S, F: An account was mapped for logon." + href: event-4774.md + - name: "Event 4775 F: An account could not be mapped for logon." + href: event-4775.md + - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." + href: event-4776.md + - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." + href: event-4777.md + - name: Audit Kerberos Authentication Service + href: audit-kerberos-authentication-service.md + items: + - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." + href: event-4768.md + - name: "Event 4771 F: Kerberos pre-authentication failed." + href: event-4771.md + - name: "Event 4772 F: A Kerberos authentication ticket request failed." + href: event-4772.md + - name: Audit Kerberos Service Ticket Operations + href: audit-kerberos-service-ticket-operations.md + items: + - name: "Event 4769 S, F: A Kerberos service ticket was requested." + href: event-4769.md + - name: "Event 4770 S: A Kerberos service ticket was renewed." + href: event-4770.md + - name: "Event 4773 F: A Kerberos service ticket request failed." + href: event-4773.md + - name: Audit Other Account Logon Events + href: audit-other-account-logon-events.md + - name: Audit Application Group Management + href: audit-application-group-management.md + - name: Audit Computer Account Management + href: audit-computer-account-management.md + items: + - name: "Event 4741 S: A computer account was created." + href: event-4741.md + - name: "Event 4742 S: A computer account was changed." + href: event-4742.md + - name: "Event 4743 S: A computer account was deleted." + href: event-4743.md + - name: Audit Distribution Group Management + href: audit-distribution-group-management.md + items: + - name: "Event 4749 S: A security-disabled global group was created." + href: event-4749.md + - name: "Event 4750 S: A security-disabled global group was changed." + href: event-4750.md + - name: "Event 4751 S: A member was added to a security-disabled global group." + href: event-4751.md + - name: "Event 4752 S: A member was removed from a security-disabled global group." + href: event-4752.md + - name: "Event 4753 S: A security-disabled global group was deleted." + href: event-4753.md + - name: Audit Other Account Management Events + href: audit-other-account-management-events.md + items: + - name: "Event 4782 S: The password hash of an account was accessed." + href: event-4782.md + - name: "Event 4793 S: The Password Policy Checking API was called." + href: event-4793.md + - name: Audit Security Group Management + href: audit-security-group-management.md + items: + - name: "Event 4731 S: A security-enabled local group was created." + href: event-4731.md + - name: "Event 4732 S: A member was added to a security-enabled local group." + href: event-4732.md + - name: "Event 4733 S: A member was removed from a security-enabled local group." + href: event-4733.md + - name: "Event 4734 S: A security-enabled local group was deleted." + href: event-4734.md + - name: "Event 4735 S: A security-enabled local group was changed." + href: event-4735.md + - name: "Event 4764 S: A group�s type was changed." + href: event-4764.md + - name: "Event 4799 S: A security-enabled local group membership was enumerated." + href: event-4799.md + - name: Audit User Account Management + href: audit-user-account-management.md + items: + - name: "Event 4720 S: A user account was created." + href: event-4720.md + - name: "Event 4722 S: A user account was enabled." + href: event-4722.md + - name: "Event 4723 S, F: An attempt was made to change an account's password." + href: event-4723.md + - name: "Event 4724 S, F: An attempt was made to reset an account's password." + href: event-4724.md + - name: "Event 4725 S: A user account was disabled." + href: event-4725.md + - name: "Event 4726 S: A user account was deleted." + href: event-4726.md + - name: "Event 4738 S: A user account was changed." + href: event-4738.md + - name: "Event 4740 S: A user account was locked out." + href: event-4740.md + - name: "Event 4765 S: SID History was added to an account." + href: event-4765.md + - name: "Event 4766 F: An attempt to add SID History to an account failed." + href: event-4766.md + - name: "Event 4767 S: A user account was unlocked." + href: event-4767.md + - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." + href: event-4780.md + - name: "Event 4781 S: The name of an account was changed." + href: event-4781.md + - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." + href: event-4794.md + - name: "Event 4798 S: A user's local group membership was enumerated." + href: event-4798.md + - name: "Event 5376 S: Credential Manager credentials were backed up." + href: event-5376.md + - name: "Event 5377 S: Credential Manager credentials were restored from a backup." + href: event-5377.md + - name: Audit DPAPI Activity + href: audit-dpapi-activity.md + items: + - name: "Event 4692 S, F: Backup of data protection master key was attempted." + href: event-4692.md + - name: "Event 4693 S, F: Recovery of data protection master key was attempted." + href: event-4693.md + - name: "Event 4694 S, F: Protection of auditable protected data was attempted." + href: event-4694.md + - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." + href: event-4695.md + - name: Audit PNP Activity + href: audit-pnp-activity.md + items: + - name: "Event 6416 S: A new external device was recognized by the System." + href: event-6416.md + - name: "Event 6419 S: A request was made to disable a device." + href: event-6419.md + - name: "Event 6420 S: A device was disabled." + href: event-6420.md + - name: "Event 6421 S: A request was made to enable a device." + href: event-6421.md + - name: "Event 6422 S: A device was enabled." + href: event-6422.md + - name: "Event 6423 S: The installation of this device is forbidden by system policy." + href: event-6423.md + - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." + href: event-6424.md + - name: Audit Process Creation + href: audit-process-creation.md + items: + - name: "Event 4688 S: A new process has been created." + href: event-4688.md + - name: "Event 4696 S: A primary token was assigned to process." + href: event-4696.md + - name: Audit Process Termination + href: audit-process-termination.md + items: + - name: "Event 4689 S: A process has exited." + href: event-4689.md + - name: Audit RPC Events + href: audit-rpc-events.md + items: + - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." + href: event-5712.md + - name: Audit Token Right Adjusted + href: audit-token-right-adjusted.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: Audit Detailed Directory Service Replication + href: audit-detailed-directory-service-replication.md + items: + - name: "Event 4928 S, F: An Active Directory replica source naming context was established." + href: event-4928.md + - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." + href: event-4929.md + - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." + href: event-4930.md + - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." + href: event-4931.md + - name: "Event 4934 S: Attributes of an Active Directory object were replicated." + href: event-4934.md + - name: "Event 4935 F: Replication failure begins." + href: event-4935.md + - name: "Event 4936 S: Replication failure ends." + href: event-4936.md + - name: "Event 4937 S: A lingering object was removed from a replica." + href: event-4937.md + - name: Audit Directory Service Access + href: audit-directory-service-access.md + items: + - name: "Event 4662 S, F: An operation was performed on an object." + href: event-4662.md + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Directory Service Changes + href: audit-directory-service-changes.md + items: + - name: "Event 5136 S: A directory service object was modified." + href: event-5136.md + - name: "Event 5137 S: A directory service object was created." + href: event-5137.md + - name: "Event 5138 S: A directory service object was undeleted." + href: event-5138.md + - name: "Event 5139 S: A directory service object was moved." + href: event-5139.md + - name: "Event 5141 S: A directory service object was deleted." + href: event-5141.md + - name: Audit Directory Service Replication + href: audit-directory-service-replication.md + items: + - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." + href: event-4932.md + - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." + href: event-4933.md + - name: Audit Account Lockout + href: audit-account-lockout.md + items: + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: Audit User/Device Claims + href: audit-user-device-claims.md + items: + - name: "Event 4626 S: User/Device claims information." + href: event-4626.md + - name: Audit Group Membership + href: audit-group-membership.md + items: + - name: "Event 4627 S: Group membership information." + href: event-4627.md + - name: Audit IPsec Extended Mode + href: audit-ipsec-extended-mode.md + - name: Audit IPsec Main Mode + href: audit-ipsec-main-mode.md + - name: Audit IPsec Quick Mode + href: audit-ipsec-quick-mode.md + - name: Audit Logoff + href: audit-logoff.md + items: + - name: "Event 4634 S: An account was logged off." + href: event-4634.md + - name: "Event 4647 S: User initiated logoff." + href: event-4647.md + - name: Audit Logon + href: audit-logon.md + items: + - name: "Event 4624 S: An account was successfully logged on." + href: event-4624.md + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: "Event 4648 S: A logon was attempted using explicit credentials." + href: event-4648.md + - name: "Event 4675 S: SIDs were filtered." + href: event-4675.md + - name: Audit Network Policy Server + href: audit-network-policy-server.md + - name: Audit Other Logon/Logoff Events + href: audit-other-logonlogoff-events.md + items: + - name: "Event 4649 S: A replay attack was detected." + href: event-4649.md + - name: "Event 4778 S: A session was reconnected to a Window Station." + href: event-4778.md + - name: "Event 4779 S: A session was disconnected from a Window Station." + href: event-4779.md + - name: "Event 4800 S: The workstation was locked." + href: event-4800.md + - name: "Event 4801 S: The workstation was unlocked." + href: event-4801.md + - name: "Event 4802 S: The screen saver was invoked." + href: event-4802.md + - name: "Event 4803 S: The screen saver was dismissed." + href: event-4803.md + - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." + href: event-5378.md + - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." + href: event-5632.md + - name: "Event 5633 S, F: A request was made to authenticate to a wired network." + href: event-5633.md + - name: Audit Special Logon + href: audit-special-logon.md + items: + - name: "Event 4964 S: Special groups have been assigned to a new logon." + href: event-4964.md + - name: "Event 4672 S: Special privileges assigned to new logon." + href: event-4672.md + - name: Audit Application Generated + href: audit-application-generated.md + - name: Audit Certification Services + href: audit-certification-services.md + - name: Audit Detailed File Share + href: audit-detailed-file-share.md + items: + - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." + href: event-5145.md + - name: Audit File Share + href: audit-file-share.md + items: + - name: "Event 5140 S, F: A network share object was accessed." + href: event-5140.md + - name: "Event 5142 S: A network share object was added." + href: event-5142.md + - name: "Event 5143 S: A network share object was modified." + href: event-5143.md + - name: "Event 5144 S: A network share object was deleted." + href: event-5144.md + - name: "Event 5168 F: SPN check for SMB/SMB2 failed." + href: event-5168.md + - name: Audit File System + href: audit-file-system.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4664 S: An attempt was made to create a hard link." + href: event-4664.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: "Event 5051: A file was virtualized." + href: event-5051.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Filtering Platform Connection + href: audit-filtering-platform-connection.md + items: + - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." + href: event-5031.md + - name: "Event 5150: The Windows Filtering Platform blocked a packet." + href: event-5150.md + - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5151.md + - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." + href: event-5154.md + - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." + href: event-5155.md + - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." + href: event-5156.md + - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." + href: event-5157.md + - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." + href: event-5158.md + - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." + href: event-5159.md + - name: Audit Filtering Platform Packet Drop + href: audit-filtering-platform-packet-drop.md + items: + - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." + href: event-5152.md + - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5153.md + - name: Audit Handle Manipulation + href: audit-handle-manipulation.md + items: + - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." + href: event-4690.md + - name: Audit Kernel Object + href: audit-kernel-object.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: Audit Other Object Access Events + href: audit-other-object-access-events.md + items: + - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." + href: event-4671.md + - name: "Event 4691 S: Indirect access to an object was requested." + href: event-4691.md + - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." + href: event-5148.md + - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." + href: event-5149.md + - name: "Event 4698 S: A scheduled task was created." + href: event-4698.md + - name: "Event 4699 S: A scheduled task was deleted." + href: event-4699.md + - name: "Event 4700 S: A scheduled task was enabled." + href: event-4700.md + - name: "Event 4701 S: A scheduled task was disabled." + href: event-4701.md + - name: "Event 4702 S: A scheduled task was updated." + href: event-4702.md + - name: "Event 5888 S: An object in the COM+ Catalog was modified." + href: event-5888.md + - name: "Event 5889 S: An object was deleted from the COM+ Catalog." + href: event-5889.md + - name: "Event 5890 S: An object was added to the COM+ Catalog." + href: event-5890.md + - name: Audit Registry + href: audit-registry.md + items: + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4657 S: A registry value was modified." + href: event-4657.md + - name: "Event 5039: A registry key was virtualized." + href: event-5039.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Removable Storage + href: audit-removable-storage.md + - name: Audit SAM + href: audit-sam.md + items: + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Central Access Policy Staging + href: audit-central-access-policy-staging.md + items: + - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." + href: event-4818.md + - name: Audit Audit Policy Change + href: audit-audit-policy-change.md + items: + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4715 S: The audit policy, SACL, on an object was changed." + href: event-4715.md + - name: "Event 4719 S: System audit policy was changed." + href: event-4719.md + - name: "Event 4817 S: Auditing settings on object were changed." + href: event-4817.md + - name: "Event 4902 S: The Per-user audit policy table was created." + href: event-4902.md + - name: "Event 4906 S: The CrashOnAuditFail value has changed." + href: event-4906.md + - name: "Event 4907 S: Auditing settings on object were changed." + href: event-4907.md + - name: "Event 4908 S: Special Groups Logon table modified." + href: event-4908.md + - name: "Event 4912 S: Per User Audit Policy was changed." + href: event-4912.md + - name: "Event 4904 S: An attempt was made to register a security event source." + href: event-4904.md + - name: "Event 4905 S: An attempt was made to unregister a security event source." + href: event-4905.md + - name: Audit Authentication Policy Change + href: audit-authentication-policy-change.md + items: + - name: "Event 4706 S: A new trust was created to a domain." + href: event-4706.md + - name: "Event 4707 S: A trust to a domain was removed." + href: event-4707.md + - name: "Event 4716 S: Trusted domain information was modified." + href: event-4716.md + - name: "Event 4713 S: Kerberos policy was changed." + href: event-4713.md + - name: "Event 4717 S: System security access was granted to an account." + href: event-4717.md + - name: "Event 4718 S: System security access was removed from an account." + href: event-4718.md + - name: "Event 4739 S: Domain Policy was changed." + href: event-4739.md + - name: "Event 4864 S: A namespace collision was detected." + href: event-4864.md + - name: "Event 4865 S: A trusted forest information entry was added." + href: event-4865.md + - name: "Event 4866 S: A trusted forest information entry was removed." + href: event-4866.md + - name: "Event 4867 S: A trusted forest information entry was modified." + href: event-4867.md + - name: Audit Authorization Policy Change + href: audit-authorization-policy-change.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: "Event 4704 S: A user right was assigned." + href: event-4704.md + - name: "Event 4705 S: A user right was removed." + href: event-4705.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4911 S: Resource attributes of the object were changed." + href: event-4911.md + - name: "Event 4913 S: Central Access Policy on the object was changed." + href: event-4913.md + - name: Audit Filtering Platform Policy Change + href: audit-filtering-platform-policy-change.md + - name: Audit MPSSVC Rule-Level Policy Change + href: audit-mpssvc-rule-level-policy-change.md + items: + - name: "Event 4944 S: The following policy was active when the Windows Firewall started." + href: event-4944.md + - name: "Event 4945 S: A rule was listed when the Windows Firewall started." + href: event-4945.md + - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." + href: event-4946.md + - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." + href: event-4947.md + - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." + href: event-4948.md + - name: "Event 4949 S: Windows Firewall settings were restored to the default values." + href: event-4949.md + - name: "Event 4950 S: A Windows Firewall setting has changed." + href: event-4950.md + - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." + href: event-4951.md + - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." + href: event-4952.md + - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." + href: event-4953.md + - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." + href: event-4954.md + - name: "Event 4956 S: Windows Firewall has changed the active profile." + href: event-4956.md + - name: "Event 4957 F: Windows Firewall did not apply the following rule." + href: event-4957.md + - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." + href: event-4958.md + - name: Audit Other Policy Change Events + href: audit-other-policy-change-events.md + items: + - name: "Event 4714 S: Encrypted data recovery policy was changed." + href: event-4714.md + - name: "Event 4819 S: Central Access Policies on the machine have been changed." + href: event-4819.md + - name: "Event 4826 S: Boot Configuration Data loaded." + href: event-4826.md + - name: "Event 4909: The local policy settings for the TBS were changed." + href: event-4909.md + - name: "Event 4910: The group policy settings for the TBS were changed." + href: event-4910.md + - name: "Event 5063 S, F: A cryptographic provider operation was attempted." + href: event-5063.md + - name: "Event 5064 S, F: A cryptographic context operation was attempted." + href: event-5064.md + - name: "Event 5065 S, F: A cryptographic context modification was attempted." + href: event-5065.md + - name: "Event 5066 S, F: A cryptographic function operation was attempted." + href: event-5066.md + - name: "Event 5067 S, F: A cryptographic function modification was attempted." + href: event-5067.md + - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." + href: event-5068.md + - name: "Event 5069 S, F: A cryptographic function property operation was attempted." + href: event-5069.md + - name: "Event 5070 S, F: A cryptographic function property modification was attempted." + href: event-5070.md + - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." + href: event-5447.md + - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." + href: event-6144.md + - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." + href: event-6145.md + - name: Audit Sensitive Privilege Use + href: audit-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Non Sensitive Privilege Use + href: audit-non-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Other Privilege Use Events + href: audit-other-privilege-use-events.md + items: + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit IPsec Driver + href: audit-ipsec-driver.md + - name: Audit Other System Events + href: audit-other-system-events.md + items: + - name: "Event 5024 S: The Windows Firewall Service has started successfully." + href: event-5024.md + - name: "Event 5025 S: The Windows Firewall Service has been stopped." + href: event-5025.md + - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." + href: event-5027.md + - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." + href: event-5028.md + - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." + href: event-5029.md + - name: "Event 5030 F: The Windows Firewall Service failed to start." + href: event-5030.md + - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." + href: event-5032.md + - name: "Event 5033 S: The Windows Firewall Driver has started successfully." + href: event-5033.md + - name: "Event 5034 S: The Windows Firewall Driver was stopped." + href: event-5034.md + - name: "Event 5035 F: The Windows Firewall Driver failed to start." + href: event-5035.md + - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." + href: event-5037.md + - name: "Event 5058 S, F: Key file operation." + href: event-5058.md + - name: "Event 5059 S, F: Key migration operation." + href: event-5059.md + - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." + href: event-6400.md + - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." + href: event-6401.md + - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." + href: event-6402.md + - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." + href: event-6403.md + - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." + href: event-6404.md + - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." + href: event-6405.md + - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." + href: event-6406.md + - name: "Event 6407: 1%." + href: event-6407.md + - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." + href: event-6408.md + - name: "Event 6409: BranchCache: A service connection point object could not be parsed." + href: event-6409.md + - name: Audit Security State Change + href: audit-security-state-change.md + items: + - name: "Event 4608 S: Windows is starting up." + href: event-4608.md + - name: "Event 4616 S: The system time was changed." + href: event-4616.md + - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." + href: event-4621.md + - name: Audit Security System Extension + href: audit-security-system-extension.md + items: + - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." + href: event-4610.md + - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." + href: event-4611.md + - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." + href: event-4614.md + - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." + href: event-4622.md + - name: "Event 4697 S: A service was installed in the system." + href: event-4697.md + - name: Audit System Integrity + href: audit-system-integrity.md + items: + - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." + href: event-4612.md + - name: "Event 4615 S: Invalid use of LPC port." + href: event-4615.md + - name: "Event 4618 S: A monitored security event pattern has occurred." + href: event-4618.md + - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." + href: event-4816.md + - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." + href: event-5038.md + - name: "Event 5056 S: A cryptographic self-test was performed." + href: event-5056.md + - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." + href: event-5062.md + - name: "Event 5057 F: A cryptographic primitive operation failed." + href: event-5057.md + - name: "Event 5060 F: Verification operation failed." + href: event-5060.md + - name: "Event 5061 S, F: Cryptographic operation." + href: event-5061.md + - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." + href: event-6281.md + - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." + href: event-6410.md + - name: Other Events + href: other-events.md + items: + - name: "Event 1100 S: The event logging service has shut down." + href: event-1100.md + - name: "Event 1102 S: The audit log was cleared." + href: event-1102.md + - name: "Event 1104 S: The security log is now full." + href: event-1104.md + - name: "Event 1105 S: Event log automatic backup." + href: event-1105.md + - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." + href: event-1108.md + - name: "Appendix A: Security monitoring recommendations for many audit events" + href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md + - name: Registry (Global Object Access Auditing) + href: registry-global-object-access-auditing.md + - name: File System (Global Object Access Auditing) + href: file-system-global-object-access-auditing.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 9509c1486b..c53ca50d19 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/07/2021 +ms.date: 10/20/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -29,7 +29,7 @@ This event generates only on domain controllers. If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”. -This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead. +This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead. > [!NOTE] > For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index c1ffec9b59..3fff0198ed 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -13,7 +13,7 @@ author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium -ms.technology: mde +ms.technology: other --- # Block untrusted fonts in an enterprise diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index ea4b252a30..a7cdb8f8e9 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -54,8 +54,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] ### Enable HVCI using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. + 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. + 3. Double-click **Turn on Virtualization Based Security**. + 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) @@ -71,14 +74,17 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > [!IMPORTANT] -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
      In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
      +> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. +> +> In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. +> > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 10 version 1607 and later Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): -``` commands +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f @@ -94,49 +100,49 @@ If you want to customize the preceding recommended settings, use the following s **To enable VBS** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f ``` **To enable VBS and require Secure boot only (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` **To enable VBS with Secure Boot and DMA (value 3)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` **To enable VBS without UEFI lock (value 0)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable VBS with UEFI lock (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f ``` @@ -144,7 +150,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f @@ -158,31 +164,31 @@ If you want to customize the preceding recommended settings, use the following s **To enable VBS (it is always locked to UEFI)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f ``` **To enable VBS and require Secure boot only (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` **To enable VBS with Secure Boot and DMA (value 3)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies without UEFI lock** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` @@ -190,7 +196,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: -`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` +```powershell +Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard +``` > [!NOTE] > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. @@ -279,7 +287,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png) +:::image type="content" alt-text="Windows Defender Device Guard properties in the System Summary." source="../images/dg-fig11-dgproperties.png" lightbox="../images/dg-fig11-dgproperties.png"::: ## Troubleshooting @@ -291,12 +299,15 @@ C. If you experience a critical error during boot or your system is unstable aft ## How to turn off HVCI -1. Run the following command from an elevated prompt to set the HVCI registry key to off -```ini -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f -``` -2. Restart the device. -3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. +1. Run the following command from an elevated prompt to set the HVCI registry key to off: + + ```console + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f + ``` + +1. Restart the device. + +1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. ## HVCI deployment in virtual machines @@ -311,6 +322,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time +- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment. - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 4065b2122a..3112632b29 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -21,14 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. @@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

      | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

      | Support for VBS and for management features. | -> **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. +> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. ## Additional qualifications for improved security @@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
      • UEFI runtime service must meet these requirements:
          • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
          • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
          • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
              • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
              • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

      Notes:
      • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
      • This protection is applied by VBS on OS page tables.


      Please also note the following:
      • Do not use sections that are both writeable and executable
      • Do not attempt to directly modify executable system memory
      • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
      • Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
      • Reduces the attack surface to VBS from system firmware.
      • Blocks additional security attacks against SMM. | \ No newline at end of file +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
      • Reduces the attack surface to VBS from system firmware.
      • Blocks additional security attacks against SMM. | diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 9b2b985db5..fc40dc48df 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -10,7 +10,7 @@ ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: mde +ms.technology: other --- # FIPS 140-2 Validation @@ -6780,7 +6780,7 @@ Version 6.3.9600 #### SP 800-132 Password-Based Key Derivation Function (PBKDF) - +
      Modes / States / Key Sizes diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png new file mode 100644 index 0000000000..97c7448b8c Binary files /dev/null and b/windows/security/threat-protection/images/simplified-sdl.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f299d99657..7baa36b1a0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,149 +1,51 @@ --- -title: Threat Protection (Windows 10) -description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection +title: Windows threat protection +description: Describes the security capabilities in Windows client focused on threat protection +keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: dansimp +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.technology: mde +ms.technology: windows-sec --- -# Threat Protection +# Windows threat protection **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) -- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) +- Windows 10 +- Windows 11 -[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. -**Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +## Windows threat protection -> [!TIP] -> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/). +See the following articles to learn more about the different areas of Windows threat protection: -

      Microsoft Defender for Endpoint

      - - - - - - - - - - - - - - - -
      threat and vulnerability icon
      Threat & vulnerability management
      attack surface reduction icon
      Attack surface reduction
      next generation protection icon
      Next-generation protection
      endpoint detection and response icon
      Endpoint detection and response
      automated investigation and remediation icon
      Automated investigation and remediation
      microsoft threat experts icon
      Microsoft Threat Experts
      -
      Centralized configuration and administration, APIs
      Microsoft 365 Defender
      -
      - - - - ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] - -**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
      -This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) -- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites) -- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights) -- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) -- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory) - - - -**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
      -The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. - -- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation) -- [Application control](windows-defender-application-control/windows-defender-application-control.md) -- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md) +- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md) +- [Application control](/windows-defender-application-control/windows-defender-application-control.md) +- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) - [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview) +- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md) - [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) +- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md) - - -**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
      -To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +### Next-generation protection +Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) - [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) - [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) -- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) - - - -**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
      -Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections. - -- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue) -- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline) -- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts) -- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts) -- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis) -- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview) - - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections) - - - -**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
      -In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - -- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels) -- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) -- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center) -- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation) - - - -**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
      -Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - -- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts) - - - -**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
      -Integrate Microsoft Defender for Endpoint into your existing workflows. -- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure) -- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem) -- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro) -- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac) -- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports) - - -**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
      - Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: -- Intune -- Microsoft Defender for Office 365 -- Microsoft Defender for Identity -- Azure Defender -- Skype for Business -- Microsoft Cloud App Security - - -**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
      - With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. \ No newline at end of file +- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml deleted file mode 100644 index 78fea4eba3..0000000000 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: Security intelligence - href: index.md - items: - - name: Understand malware & other threats - href: understanding-malware.md - items: - - name: Coin miners - href: coinminer-malware.md - - name: Exploits and exploit kits - href: exploits-malware.md - - name: Fileless threats - href: fileless-threats.md - - name: Macro malware - href: macro-malware.md - - name: Phishing attacks - href: phishing.md - items: - - name: Phishing trends and techniques - href: phishing-trends.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: rootkits-malware.md - - name: Supply chain attacks - href: supply-chain-malware.md - - name: Tech support scams - href: support-scams.md - - name: Trojans - href: trojans-malware.md - - name: Unwanted software - href: unwanted-software.md - - name: Worms - href: worms-malware.md - - name: Prevent malware infection - href: prevent-malware-infection.md - - name: Malware naming convention - href: malware-naming.md - - name: How Microsoft identifies malware and PUA - href: criteria.md - - name: Submit files for analysis - href: submission-guide.md - - name: Troubleshoot malware submission - href: portal-submission-troubleshooting.md - - name: Safety Scanner download - href: safety-scanner-download.md - - name: Industry collaboration programs - href: cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: virus-initiative-criteria.md - - name: Coordinated malware eradication - href: coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: developer-faq.yml - - name: Software developer resources - href: developer-resources.md diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 381dc66ce4..17980ae531 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -13,6 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 10/04/2021 search.appverid: met150 ms.technology: mde --- @@ -174,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft * **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. -* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. +* **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies. * **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 83ca25908d..ccb2eb6624 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,34 +18,27 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. - -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy. ## Become a member -You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -1. Offer an antimalware or antivirus product that meets one of the following criteria: +To qualify for the MVI program, your organization must meet all the following requirements: - * Your organization's own creation. - * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. +1) Your security solution either replaces or compliments Microsoft Defender Antivirus. -2. Have your own malware research team unless you build a product based on an SDK. +2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3. Be active and have a positive reputation in the antimalware industry. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. -4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. +5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. -5. Be willing to sign a program license agreement. +6) You must submit your app to Microsoft for periodic performance testing and feature review. -6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. - -7. Submit your app to Microsoft for periodic performance testing. - -8. Certified through independent testing by at least one industry standard organization. +7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- @@ -60,4 +53,4 @@ West Coast Labs | Checkmark Certified
      http://www.checkmarkcertified.com/sm ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u). diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 83a6f5e00b..a12edb4f83 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -9,7 +9,7 @@ ms.author: dansimp author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: other --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md new file mode 100644 index 0000000000..7dcc6cdd7f --- /dev/null +++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md @@ -0,0 +1,22 @@ +--- +title: About the Microsoft Bug Bounty Program +description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# About the Microsoft Bug Bounty Program + +Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you! + +If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions. + +Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details! \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index ee887e168a..e235cf65ec 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -3,13 +3,16 @@ items: - name: System requirements href: reqs-md-app-guard.md - - name: Install WDAG + - name: Install Application Guard href: install-md-app-guard.md - - name: Configure WDAG policies + - name: Configure Application Guard policies href: configure-md-app-guard.md - name: Test scenarios href: test-scenarios-md-app-guard.md - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - - name: FAQ + - name: Application Guard FAQ href: faq-md-app-guard.yml +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 41284661d3..d3480738e7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/16/2021 +ms.date: 09/20/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. @@ -52,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      - Disable the clipboard functionality completely when Virtualization Security is enabled.
      - Enable copying of certain content from Application Guard into Microsoft Edge.
      - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      - Enable Application Guard to print into the XPS format.
      - Enable Application Guard to print into the PDF format.
      - Enable Application Guard to print to locally attached printers.
      - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

      **NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container:**
      1. Open a command-line program and navigate to `Windows/System32`.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
      - Enable Microsoft Defender Application Guard only for Microsoft Edge
      - Enable Microsoft Defender Application Guard only for Microsoft Office
      - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

      **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

      **Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

      **Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher

      Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      - Disable the clipboard functionality completely when Virtualization Security is enabled.
      - Enable copying of certain content from Application Guard into Microsoft Edge.
      - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher

      Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      - Enable Application Guard to print into the XPS format.
      - Enable Application Guard to print into the PDF format.
      - Enable Application Guard to print to locally attached printers.
      - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

      Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

      **NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher

      Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container:**
      1. Open a command-line program and navigate to `Windows/System32`.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

      Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
      - Enable Microsoft Defender Application Guard only for Microsoft Edge
      - Enable Microsoft Defender Application Guard only for Microsoft Office
      - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

      **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

      Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

      **Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher

      Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher

      Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher

      Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher

      Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

      **Disabled or not configured.** event logs aren't collected from your Application Guard container.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 9ad53a26f5..a34c5d900d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 07/23/2021 + ms.date: 09/30/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -171,11 +171,6 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - - question: | - Why can I not launch Application Guard when Exploit Guard is enabled? - answer: | - There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - - question: | How can I disable portions of ICS without breaking Application Guard? answer: | @@ -217,6 +212,16 @@ sections: Policy: Allow installation of devices using drivers that match these device setup classes - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + - question: | + I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + answer: | + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + + 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. + + 2. Reboot the device. + + additionalContent: | ## See also diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 3b18ab25d3..c16ce0700e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Enable hardware-based isolation for Microsoft Edge (Windows 10) +title: Enable hardware-based isolation for Microsoft Edge (Windows) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/21/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Prepare to install Microsoft Defender Application Guard **Applies to:** -- - Windows 10 + +- Windows 10 +- Windows 11 ## Review system requirements @@ -34,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de Applies to: - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Pro edition, version 1803 +- Windows 11 Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario. @@ -41,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator Applies to: - Windows 10 Enterprise edition, version 1709 or higher +- Windows 11 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. @@ -66,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. -1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. +1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -120,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick 1. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index d507e47abf..90f1d07fca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: martyav ms.author: v-maave -ms.date: 06/12/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,10 +20,11 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). -[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. > [!TIP] > Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. @@ -37,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions - Windows 10 Professional - Windows 10 Enterprise - Windows 10 Education +- Windows 11 Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4ad66674a9..640f7eae00 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Application Guard (Windows 10) +title: Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/27/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Microsoft Defender Application Guard overview **Applies to** + - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. @@ -54,4 +56,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index fb162b5632..9525a88395 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2021 +ms.date: 10/20/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # System requirements for Microsoft Defender Application Guard **Applies to** + - Windows 10 +- Windows 11 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
      Windows 10 Professional edition, version 1809 or higher
      Windows 10 Professional for Workstations edition, version 1809 or higher
      Windows 10 Professional Education edition, version 1809 or higher
      Windows 10 Education edition, version 1809 or higher
      Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
      Windows 10 Professional edition, version 1809 or higher
      Windows 10 Professional for Workstations edition, version 1809 or higher
      Windows 10 Professional Education edition, version 1809 or higher
      Windows 10 Education edition, version 1809 or higher
      Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
      Windows 11 | | Browser | Microsoft Edge | -| Management system
      (only for managed devices)| [Microsoft Intune](/intune/)

      **OR**

      [Microsoft Endpoint Configuration Manager](/configmgr/)

      **OR**

      [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

      **OR**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | +| Management system
      (only for managed devices)| [Microsoft Intune](/intune/)

      **OR**

      [Microsoft Endpoint Configuration Manager](/configmgr/)

      **OR**

      [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

      **OR**

      Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8ff39f397..292813b7c0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: m365-security ms.mktglfcycl: manage @@ -10,7 +10,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp -ms.date: 09/14/2020 +ms.date: 09/09/2021 ms.custom: asr ms.technology: mde --- @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. @@ -50,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard -Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](./install-md-app-guard.md#install-application-guard). @@ -111,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 +- Windows 11 #### Copy and paste options @@ -169,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. > [!NOTE] - > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11. > > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. > @@ -179,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 +- Windows 11 #### Download options @@ -210,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 +- Windows 11 #### File trust options 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. -2. Click **Enabled**, set **Options** to 2, and click **OK**. +2. Click **Enabled**, set **Options** to **2**, and click **OK**. ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md new file mode 100644 index 0000000000..c16994d574 --- /dev/null +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Security Development Lifecycle +description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# Microsoft Security Development Lifecycle + +The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. + +[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) + +Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. + +The Microsoft SDL is based on three core concepts: +- Education +- Continuous process improvement +- Accountability + +To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl). + +And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml new file mode 100644 index 0000000000..1ddc477ef1 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -0,0 +1,351 @@ + - name: Security policy settings + href: security-policy-settings.md + items: + - name: Administer security policy settings + href: administer-security-policy-settings.md + items: + - name: Network List Manager policies + href: network-list-manager-policies.md + - name: Configure security policy settings + href: how-to-configure-security-policy-settings.md + - name: Security policy settings reference + href: security-policy-settings-reference.md + items: + - name: Account Policies + href: account-policies.md + items: + - name: Password Policy + href: password-policy.md + items: + - name: Enforce password history + href: enforce-password-history.md + - name: Maximum password age + href: maximum-password-age.md + - name: Minimum password age + href: minimum-password-age.md + - name: Minimum password length + href: minimum-password-length.md + - name: Password must meet complexity requirements + href: password-must-meet-complexity-requirements.md + - name: Store passwords using reversible encryption + href: store-passwords-using-reversible-encryption.md + - name: Account Lockout Policy + href: account-lockout-policy.md + items: + - name: Account lockout duration + href: account-lockout-duration.md + - name: Account lockout threshold + href: account-lockout-threshold.md + - name: Reset account lockout counter after + href: reset-account-lockout-counter-after.md + - name: Kerberos Policy + href: kerberos-policy.md + items: + - name: Enforce user logon restrictions + href: enforce-user-logon-restrictions.md + - name: Maximum lifetime for service ticket + href: maximum-lifetime-for-service-ticket.md + - name: Maximum lifetime for user ticket + href: maximum-lifetime-for-user-ticket.md + - name: Maximum lifetime for user ticket renewal + href: maximum-lifetime-for-user-ticket-renewal.md + - name: Maximum tolerance for computer clock synchronization + href: maximum-tolerance-for-computer-clock-synchronization.md + - name: Audit Policy + href: audit-policy.md + - name: Security Options + href: security-options.md + items: + - name: "Accounts: Administrator account status" + href: accounts-administrator-account-status.md + - name: "Accounts: Block Microsoft accounts" + href: accounts-block-microsoft-accounts.md + - name: "Accounts: Guest account status" + href: accounts-guest-account-status.md + - name: "Accounts: Limit local account use of blank passwords to console logon only" + href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md + - name: "Accounts: Rename administrator account" + href: accounts-rename-administrator-account.md + - name: "Accounts: Rename guest account" + href: accounts-rename-guest-account.md + - name: "Audit: Audit the access of global system objects" + href: audit-audit-the-access-of-global-system-objects.md + - name: "Audit: Audit the use of Backup and Restore privilege" + href: audit-audit-the-use-of-backup-and-restore-privilege.md + - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + href: audit-force-audit-policy-subcategory-settings-to-override.md + - name: "Audit: Shut down system immediately if unable to log security audits" + href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md + - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "Devices: Allow undock without having to log on" + href: devices-allow-undock-without-having-to-log-on.md + - name: "Devices: Allowed to format and eject removable media" + href: devices-allowed-to-format-and-eject-removable-media.md + - name: "Devices: Prevent users from installing printer drivers" + href: devices-prevent-users-from-installing-printer-drivers.md + - name: "Devices: Restrict CD-ROM access to locally logged-on user only" + href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md + - name: "Devices: Restrict floppy access to locally logged-on user only" + href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md + - name: "Domain controller: Allow server operators to schedule tasks" + href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server signing requirements" + href: domain-controller-ldap-server-signing-requirements.md + - name: "Domain controller: Refuse machine account password changes" + href: domain-controller-refuse-machine-account-password-changes.md + - name: "Domain member: Digitally encrypt or sign secure channel data (always)" + href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md + - name: "Domain member: Digitally encrypt secure channel data (when possible)" + href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md + - name: "Domain member: Digitally sign secure channel data (when possible)" + href: domain-member-digitally-sign-secure-channel-data-when-possible.md + - name: "Domain member: Disable machine account password changes" + href: domain-member-disable-machine-account-password-changes.md + - name: "Domain member: Maximum machine account password age" + href: domain-member-maximum-machine-account-password-age.md + - name: "Domain member: Require strong (Windows 2000 or later) session key" + href: domain-member-require-strong-windows-2000-or-later-session-key.md + - name: "Interactive logon: Display user information when the session is locked" + href: interactive-logon-display-user-information-when-the-session-is-locked.md + - name: "Interactive logon: Don't display last signed-in" + href: interactive-logon-do-not-display-last-user-name.md + - name: "Interactive logon: Don't display username at sign-in" + href: interactive-logon-dont-display-username-at-sign-in.md + - name: "Interactive logon: Do not require CTRL+ALT+DEL" + href: interactive-logon-do-not-require-ctrl-alt-del.md + - name: "Interactive logon: Machine account lockout threshold" + href: interactive-logon-machine-account-lockout-threshold.md + - name: "Interactive logon: Machine inactivity limit" + href: interactive-logon-machine-inactivity-limit.md + - name: "Interactive logon: Message text for users attempting to log on" + href: interactive-logon-message-text-for-users-attempting-to-log-on.md + - name: "Interactive logon: Message title for users attempting to log on" + href: interactive-logon-message-title-for-users-attempting-to-log-on.md + - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md + - name: "Interactive logon: Prompt user to change password before expiration" + href: interactive-logon-prompt-user-to-change-password-before-expiration.md + - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" + href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md + - name: "Interactive logon: Require smart card" + href: interactive-logon-require-smart-card.md + - name: "Interactive logon: Smart card removal behavior" + href: interactive-logon-smart-card-removal-behavior.md + - name: "Microsoft network client: Digitally sign communications (always)" + href: microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" + href: smbv1-microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" + href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md + - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" + href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md + - name: "Microsoft network server: Amount of idle time required before suspending session" + href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md + - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" + href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md + - name: "Microsoft network server: Digitally sign communications (always)" + href: microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" + href: smbv1-microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" + href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md + - name: "Microsoft network server: Disconnect clients when logon hours expire" + href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md + - name: "Microsoft network server: Server SPN target name validation level" + href: microsoft-network-server-server-spn-target-name-validation-level.md + - name: "Network access: Allow anonymous SID/Name translation" + href: network-access-allow-anonymous-sidname-translation.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md + - name: "Network access: Do not allow storage of passwords and credentials for network authentication" + href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md + - name: "Network access: Let Everyone permissions apply to anonymous users" + href: network-access-let-everyone-permissions-apply-to-anonymous-users.md + - name: "Network access: Named Pipes that can be accessed anonymously" + href: network-access-named-pipes-that-can-be-accessed-anonymously.md + - name: "Network access: Remotely accessible registry paths" + href: network-access-remotely-accessible-registry-paths.md + - name: "Network access: Remotely accessible registry paths and subpaths" + href: network-access-remotely-accessible-registry-paths-and-subpaths.md + - name: "Network access: Restrict anonymous access to Named Pipes and Shares" + href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md + - name: "Network access: Restrict clients allowed to make remote calls to SAM" + href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md + - name: "Network access: Shares that can be accessed anonymously" + href: network-access-shares-that-can-be-accessed-anonymously.md + - name: "Network access: Sharing and security model for local accounts" + href: network-access-sharing-and-security-model-for-local-accounts.md + - name: "Network security: Allow Local System to use computer identity for NTLM" + href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md + - name: "Network security: Allow LocalSystem NULL session fallback" + href: network-security-allow-localsystem-null-session-fallback.md + - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" + href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md + - name: "Network security: Configure encryption types allowed for Kerberos" + href: network-security-configure-encryption-types-allowed-for-kerberos.md + - name: "Network security: Do not store LAN Manager hash value on next password change" + href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md + - name: "Network security: Force logoff when logon hours expire" + href: network-security-force-logoff-when-logon-hours-expire.md + - name: "Network security: LAN Manager authentication level" + href: network-security-lan-manager-authentication-level.md + - name: "Network security: LDAP client signing requirements" + href: network-security-ldap-client-signing-requirements.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md + - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" + href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md + - name: "Network security: Restrict NTLM: Add server exceptions in this domain" + href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md + - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" + href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" + href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Incoming NTLM traffic" + href: network-security-restrict-ntlm-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: NTLM authentication in this domain" + href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" + href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md + - name: "Recovery console: Allow automatic administrative logon" + href: recovery-console-allow-automatic-administrative-logon.md + - name: "Recovery console: Allow floppy copy and access to all drives and folders" + href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md + - name: "Shutdown: Allow system to be shut down without having to log on" + href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md + - name: "Shutdown: Clear virtual memory pagefile" + href: shutdown-clear-virtual-memory-pagefile.md + - name: "System cryptography: Force strong key protection for user keys stored on the computer" + href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md + - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" + href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md + - name: "System objects: Require case insensitivity for non-Windows subsystems" + href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md + - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" + href: system-objects-strengthen-default-permissions-of-internal-system-objects.md + - name: "System settings: Optional subsystems" + href: system-settings-optional-subsystems.md + - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" + href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md + - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" + href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md + - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md + - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md + - name: "User Account Control: Behavior of the elevation prompt for standard users" + href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md + - name: "User Account Control: Detect application installations and prompt for elevation" + href: user-account-control-detect-application-installations-and-prompt-for-elevation.md + - name: "User Account Control: Only elevate executables that are signed and validated" + href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md + - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" + href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md + - name: "User Account Control: Run all administrators in Admin Approval Mode" + href: user-account-control-run-all-administrators-in-admin-approval-mode.md + - name: "User Account Control: Switch to the secure desktop when prompting for elevation" + href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md + - name: "User Account Control: Virtualize file and registry write failures to per-user locations" + href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md + - name: Advanced security audit policy settings + href: secpol-advanced-security-audit-policy-settings.md + - name: User Rights Assignment + href: user-rights-assignment.md + items: + - name: Access Credential Manager as a trusted caller + href: access-credential-manager-as-a-trusted-caller.md + - name: Access this computer from the network + href: access-this-computer-from-the-network.md + - name: Act as part of the operating system + href: act-as-part-of-the-operating-system.md + - name: Add workstations to domain + href: add-workstations-to-domain.md + - name: Adjust memory quotas for a process + href: adjust-memory-quotas-for-a-process.md + - name: Allow log on locally + href: allow-log-on-locally.md + - name: Allow log on through Remote Desktop Services + href: allow-log-on-through-remote-desktop-services.md + - name: Back up files and directories + href: back-up-files-and-directories.md + - name: Bypass traverse checking + href: bypass-traverse-checking.md + - name: Change the system time + href: change-the-system-time.md + - name: Change the time zone + href: change-the-time-zone.md + - name: Create a pagefile + href: create-a-pagefile.md + - name: Create a token object + href: create-a-token-object.md + - name: Create global objects + href: create-global-objects.md + - name: Create permanent shared objects + href: create-permanent-shared-objects.md + - name: Create symbolic links + href: create-symbolic-links.md + - name: Debug programs + href: debug-programs.md + - name: Deny access to this computer from the network + href: deny-access-to-this-computer-from-the-network.md + - name: Deny log on as a batch job + href: deny-log-on-as-a-batch-job.md + - name: Deny log on as a service + href: deny-log-on-as-a-service.md + - name: Deny log on locally + href: deny-log-on-locally.md + - name: Deny log on through Remote Desktop Services + href: deny-log-on-through-remote-desktop-services.md + - name: Enable computer and user accounts to be trusted for delegation + href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md + - name: Force shutdown from a remote system + href: force-shutdown-from-a-remote-system.md + - name: Generate security audits + href: generate-security-audits.md + - name: Impersonate a client after authentication + href: impersonate-a-client-after-authentication.md + - name: Increase a process working set + href: increase-a-process-working-set.md + - name: Increase scheduling priority + href: increase-scheduling-priority.md + - name: Load and unload device drivers + href: load-and-unload-device-drivers.md + - name: Lock pages in memory + href: lock-pages-in-memory.md + - name: Log on as a batch job + href: log-on-as-a-batch-job.md + - name: Log on as a service + href: log-on-as-a-service.md + - name: Manage auditing and security log + href: manage-auditing-and-security-log.md + - name: Modify an object label + href: modify-an-object-label.md + - name: Modify firmware environment values + href: modify-firmware-environment-values.md + - name: Perform volume maintenance tasks + href: perform-volume-maintenance-tasks.md + - name: Profile single process + href: profile-single-process.md + - name: Profile system performance + href: profile-system-performance.md + - name: Remove computer from docking station + href: remove-computer-from-docking-station.md + - name: Replace a process level token + href: replace-a-process-level-token.md + - name: Restore files and directories + href: restore-files-and-directories.md + - name: Shut down the system + href: shut-down-the-system.md + - name: Synchronize directory service data + href: synchronize-directory-service-data.md + - name: Take ownership of files or other objects + href: take-ownership-of-files-or-other-objects.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 40a53c2736..605dfd0cfd 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -1,5 +1,5 @@ --- -title: Network security Allow Local System to use computer identity for NTLM (Windows 10) +title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)" description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 10/04/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index de0490479f..688bce1b38 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 10/11/2021 ms.technology: mde --- @@ -46,7 +46,7 @@ This policy setting determines the behavior of the elevation prompt for standard ### Best practices 1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. -2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. +2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. ### Location diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 9c23deaecd..1fd7837df9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows 11 >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a9d13497a..6e2bbdd64b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -1,5 +1,8 @@ - name: Application Control for Windows + href: index.yml +- name: About application control for Windows href: windows-defender-application-control.md + expanded: true items: - name: WDAC and AppLocker Overview href: wdac-and-applocker-overview.md @@ -292,3 +295,6 @@ href: applocker\using-event-viewer-with-applocker.md - name: AppLocker Settings href: applocker\applocker-settings.md +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 5d98c29cbb..f200b445bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and later > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml deleted file mode 100644 index b796c0e95e..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: AppLocker - href: applocker-overview.md - items: - - name: Administer AppLocker - href: administer-applocker.md - items: - - name: Maintain AppLocker policies - href: maintain-applocker-policies.md - - name: Edit an AppLocker policy - href: edit-an-applocker-policy.md - - name: Test and update an AppLocker policy - href: test-and-update-an-applocker-policy.md - - name: Deploy AppLocker policies by using the enforce rules setting - href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md - - name: Use the AppLocker Windows PowerShell cmdlets - href: use-the-applocker-windows-powershell-cmdlets.md - - name: Use AppLocker and Software Restriction Policies in the same domain - href: use-applocker-and-software-restriction-policies-in-the-same-domain.md - - name: Optimize AppLocker performance - href: optimize-applocker-performance.md - - name: Monitor app usage with AppLocker - href: monitor-application-usage-with-applocker.md - - name: Manage packaged apps with AppLocker - href: manage-packaged-apps-with-applocker.md - - name: Working with AppLocker rules - href: working-with-applocker-rules.md - items: - - name: Create a rule that uses a file hash condition - href: create-a-rule-that-uses-a-file-hash-condition.md - - name: Create a rule that uses a path condition - href: create-a-rule-that-uses-a-path-condition.md - - name: Create a rule that uses a publisher condition - href: create-a-rule-that-uses-a-publisher-condition.md - - name: Create AppLocker default rules - href: create-applocker-default-rules.md - - name: Add exceptions for an AppLocker rule - href: configure-exceptions-for-an-applocker-rule.md - - name: Create a rule for packaged apps - href: create-a-rule-for-packaged-apps.md - - name: Delete an AppLocker rule - href: delete-an-applocker-rule.md - - name: Edit AppLocker rules - href: edit-applocker-rules.md - - name: Enable the DLL rule collection - href: enable-the-dll-rule-collection.md - - name: Enforce AppLocker rules - href: enforce-applocker-rules.md - - name: Run the Automatically Generate Rules wizard - href: run-the-automatically-generate-rules-wizard.md - - name: Working with AppLocker policies - href: working-with-applocker-policies.md - items: - - name: Configure the Application Identity service - href: configure-the-application-identity-service.md - - name: Configure an AppLocker policy for audit only - href: configure-an-applocker-policy-for-audit-only.md - - name: Configure an AppLocker policy for enforce rules - href: configure-an-applocker-policy-for-enforce-rules.md - - name: Display a custom URL message when users try to run a blocked app - href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md - - name: Export an AppLocker policy from a GPO - href: export-an-applocker-policy-from-a-gpo.md - - name: Export an AppLocker policy to an XML file - href: export-an-applocker-policy-to-an-xml-file.md - - name: Import an AppLocker policy from another computer - href: import-an-applocker-policy-from-another-computer.md - - name: Import an AppLocker policy into a GPO - href: import-an-applocker-policy-into-a-gpo.md - - name: Add rules for packaged apps to existing AppLocker rule-set - href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md - - name: Merge AppLocker policies by using Set-ApplockerPolicy - href: merge-applocker-policies-by-using-set-applockerpolicy.md - - name: Merge AppLocker policies manually - href: merge-applocker-policies-manually.md - - name: Refresh an AppLocker policy - href: refresh-an-applocker-policy.md - - name: Test an AppLocker policy by using Test-AppLockerPolicy - href: test-an-applocker-policy-by-using-test-applockerpolicy.md - - name: AppLocker design guide - href: applocker-policies-design-guide.md - items: - - name: Understand AppLocker policy design decisions - href: understand-applocker-policy-design-decisions.md - - name: Determine your application control objectives - href: determine-your-application-control-objectives.md - - name: Create a list of apps deployed to each business group - href: create-list-of-applications-deployed-to-each-business-group.md - items: - - name: Document your app list - href: document-your-application-list.md - - name: Select the types of rules to create - href: select-types-of-rules-to-create.md - items: - - name: Document your AppLocker rules - href: document-your-applocker-rules.md - - name: Determine the Group Policy structure and rule enforcement - href: determine-group-policy-structure-and-rule-enforcement.md - items: - - name: Understand AppLocker enforcement settings - href: understand-applocker-enforcement-settings.md - - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy - href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md - - name: Document the Group Policy structure and AppLocker rule enforcement - href: document-group-policy-structure-and-applocker-rule-enforcement.md - - name: Plan for AppLocker policy management - href: plan-for-applocker-policy-management.md - - name: AppLocker deployment guide - href: applocker-policies-deployment-guide.md - items: - - name: Understand the AppLocker policy deployment process - href: understand-the-applocker-policy-deployment-process.md - - name: Requirements for Deploying AppLocker Policies - href: requirements-for-deploying-applocker-policies.md - - name: Use Software Restriction Policies and AppLocker policies - href: using-software-restriction-policies-and-applocker-policies.md - - name: Create Your AppLocker policies - href: create-your-applocker-policies.md - items: - - name: Create Your AppLocker rules - href: create-your-applocker-rules.md - - name: Deploy the AppLocker policy into production - href: deploy-the-applocker-policy-into-production.md - items: - - name: Use a reference device to create and maintain AppLocker policies - href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md - - name: Determine which apps are digitally signed on a reference device - href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md - - name: Configure the AppLocker reference device - href: configure-the-appLocker-reference-device.md - - name: AppLocker technical reference - href: applocker-technical-reference.md - items: - - name: What Is AppLocker? - href: what-is-applocker.md - - name: Requirements to use AppLocker - href: requirements-to-use-applocker.md - - name: AppLocker policy use scenarios - href: applocker-policy-use-scenarios.md - - name: How AppLocker works - href: how-applocker-works-techref.md - items: - - name: Understanding AppLocker rule behavior - href: understanding-applocker-rule-behavior.md - - name: Understanding AppLocker rule exceptions - href: understanding-applocker-rule-exceptions.md - - name: Understanding AppLocker rule collections - href: understanding-applocker-rule-collections.md - - name: Understanding AppLocker allow and deny actions on rules - href: understanding-applocker-allow-and-deny-actions-on-rules.md - - name: Understanding AppLocker rule condition types - href: understanding-applocker-rule-condition-types.md - items: - - name: Understanding the publisher rule condition in AppLocker - href: understanding-the-publisher-rule-condition-in-applocker.md - - name: Understanding the path rule condition in AppLocker - href: understanding-the-path-rule-condition-in-applocker.md - - name: Understanding the file hash rule condition in AppLocker - href: understanding-the-file-hash-rule-condition-in-applocker.md - - name: Understanding AppLocker default rules - href: understanding-applocker-default-rules.md - items: - - name: Executable rules in AppLocker - href: executable-rules-in-applocker.md - - name: Windows Installer rules in AppLocker - href: windows-installer-rules-in-applocker.md - - name: Script rules in AppLocker - href: script-rules-in-applocker.md - - name: DLL rules in AppLocker - href: dll-rules-in-applocker.md - - name: Packaged apps and packaged app installer rules in AppLocker - href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md - - name: AppLocker architecture and components - href: applocker-architecture-and-components.md - - name: AppLocker processes and interactions - href: applocker-processes-and-interactions.md - - name: AppLocker functions - href: applocker-functions.md - - name: Security considerations for AppLocker - href: security-considerations-for-applocker.md - - name: Tools to Use with AppLocker - href: tools-to-use-with-applocker.md - items: - - name: Using Event Viewer with AppLocker - href: using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker-settings.md diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 9036f3e4c1..727135ff89 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 7f2698f4c6..9838e069b1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 44cb55c39e..f11b29225e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index c6b0e3ecf4..a095a49531 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 93a162dc9a..45cbf5c074 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 86a8829b86..d5c03fc57e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index a7d286ac77..d0df809923 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 9afaf76dd4..1314f32db2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 72c593b20b..ccb2db435b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index e6ffbc2ba9..504b6ddc8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the settings used by AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 49e952d360..72e525eb33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 44e68d79c2..0c75f461a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index e59657993f..411f862d54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index a018cafadb..f349cab5c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index e836660931..1f654436af 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 0501a133b2..37736b98e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index eecd667d2b..6a921a1a9f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 141694e9b1..ae414198e7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 3efd61d7e9..305a8f1f28 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a path condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 8554f3c9f2..e54c7be041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 1b41d7d17d..7d5cb87442 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 61d80caa45..ca15623e30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index a4dd6d3cbb..3a1109a239 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 49afa8e599..bbf2bbc5f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index d99290ca20..a76438913f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals describes the steps to delete an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 4eacf25176..bd37f7dbd6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 1cef053c49..801357a512 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 4e97c71abe..56fabec7f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic describes the process to follow when you are planning to deploy AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index cd61c3ae04..0f79249eb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index 90e037220c..f1a3d2fdb0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 0337e87f46..33e52bdb43 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index f547e9a47c..90d0e55f8b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the DLL rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 94b76c08b1..28c6e63bf2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index abace52005..19976bf113 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 61e0ea6cd7..d456dd6197 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index d9503e8a00..d3e0de4082 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps required to modify an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index ae57316f95..4a6c308d6c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index a7127c01e3..a4fda0421a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index d5af5704b4..d5979bfac8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to enforce application control rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 4a08f289bb..6737670f69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the executable rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 6a31ee8659..8069b0c488 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index b31a06093c..13a340752a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index a69c492e7b..f2f21ec59a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index ee2571025c..2ca831ad61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index a1f2c8e829..ea0d11ab6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 495e5578cb..fbd1e8bf5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to maintain rules within AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 963ec6547b..fb2455652e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 1034d8e194..a054a02bd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index c6beb49771..8e26890ee4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 15bd4e6197..80d37a8614 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 15357f0a4c..bda74906e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to optimize AppLocker policy enforcement. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 7cd27ec5a6..ca8932c6f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker rule collection for packaged app installers and packaged apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 5a2aab5ef9..58c2a7e1aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index c306fa8809..82a4c1e458 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to force an update for an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 3d09d68ef3..229cfda610 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 63b249672d..3c707b81d5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index 4c9ff4b21a..f17c70b80d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 4b4ca99f66..9076c55024 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the script rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 006efd19a1..975f550c4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 9dedd807d1..d550e452bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists resources you can use when selecting your application control policy rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index ca0dc2f8e4..d75ba70771 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 3a42a9d7aa..389120fbf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic discusses the steps required to test an AppLocker policy prior to deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 19eb7cd1d3..a2e61460e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tools available to create and administer AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 7058ee0c64..e675fb2869 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the AppLocker enforcement settings for rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index ccdfd461a6..423a4d1362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5803246cf1..92387a5fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 23383522f6..799df0904c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 319498a599..73277f9b7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the differences between allow and deny actions on AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 7a33f4dde5..5bf6447ed9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 92f40c3d8c..cace268255 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index e8cf87080b..70106f07bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 80ce31b642..5e0876bc46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the three types of AppLocker rule conditions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index c4cf8ac3ea..a83a41aef9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the result of applying AppLocker rule exceptions to rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 1bb2c999af..62751a55dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index e8856ed8ee..365ad545e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 8dade37801..6c68cb3be5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index a283a7ab4f..9a97cd9a36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 6dcd91c001..41241819f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index ce28a56e21..a27af3c553 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 3015885de1..d0a93e2296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 79b2485918..142eeb4cf9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index b65a70c0fe..2bb5d4a07b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 0975dd70c7..c5a2d513e3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the Windows Installer rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index e4c6caae70..6e13cbce6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 74ce2ea9d8..f05e000e74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -25,7 +25,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 671bd29bf1..62270b6e8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 706f2e6d6a..0ca71721d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 70e5a3a31d..a31d84c88e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 08/10/2021 +ms.date: 10/19/2021 ms.technology: mde --- @@ -26,8 +26,8 @@ ms.technology: mde - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. @@ -41,8 +41,7 @@ Ensure that the WDAC policy allows the system/boot components and any other auth ## Security considerations with managed installer -Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. -It's best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM). +Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM). Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. @@ -85,19 +84,19 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS 2. Manually rename the rule collection to ManagedInstaller - Change + Change: ```powershell ``` - to + to: ```powershell ``` -An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), PowerShell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml @@ -177,45 +176,9 @@ An example of a valid Managed Installer rule collection, using Microsoft Endpoin ``` -### Enable service enforcement in AppLocker policy -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. The audit rule can be added to the policy created above, which specifies the rule collection of your managed installer. - -For example: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` +>[!NOTE] +>Since many installation processes rely on services, it is typically necessary to enable tracking of services. Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. ## Enable the managed installer option in WDAC policy @@ -234,7 +197,7 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID ``` -3. Set Option 13 (Enabled:Managed Installer) +3. Set Option 13 (Enabled:Managed Installer). ```powershell Set-RuleOption -FilePath -Option 13 @@ -305,4 +268,4 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` - This command will show the raw XML to verify the individual rules that were set. \ No newline at end of file + This command will show the raw XML to verify the individual rules that were set. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index a6fe5ce62e..fb11f5cbf8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. There are three primary steps to keep in mind: diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 761ea31822..7f12604edc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 40ab4ad3bd..4d96dd5039 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 0037968837..ae19d1e80f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 76199f55b5..98d4991e37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index bdb0bb25f6..fbe13edbe5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 9ea7cc663a..96abd74691 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index dea3b62b33..8482f5f1c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > [!NOTE] > Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 29fbbe9431..7b44dba695 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 3dcca008bc..b8900a28dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 2212ae92fb..67dadf4ccd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index ad706276ac..bff322daff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers how to disable unsigned or signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 5dd1fd73f9..685ffd83a1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 4e249a4f50..b12655562e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service. diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml new file mode 100644 index 0000000000..ef5892459f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -0,0 +1,117 @@ +### YamlMime:Landing + +title: Application Control for Windows +metadata: + title: Application Control for Windows + description: Landing page for Windows Defender Application Control +# services: service +# ms.service: microsoft-WDAC-AppLocker +# ms.subservice: Application-Control +# ms.topic: landing-page +# author: Kim Klein +# ms.author: Jordan Geurten +# manager: Jeffrey Sutherland +# ms.update: 04/30/2021 +# linkListType: overview | how-to-guide | tutorial | video +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: Learn about Application Control + linkLists: + - linkListType: overview + links: + - text: What is Windows Defender Application Control (WDAC)? + url: wdac-and-applocker-overview.md + - text: What is AppLocker? + url: applocker\applocker-overview.md + - text: WDAC and AppLocker feature availability + url: feature-availability.md + # Card + - title: Learn about Policy Design + linkLists: + - linkListType: overview + links: + - text: Using code signing to simplify application control + url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md + - text: Microsoft's Recommended Blocklist + url: microsoft-recommended-block-rules.md + - text: Microsoft's Recommended Driver Blocklist + url: microsoft-recommended-driver-block-rules.md + - text: Example WDAC policies + url: example-wdac-base-policies.md + - text: LOB Win32 apps on S Mode + url: LOB-win32-apps-on-s.md + - text: Managing multiple policies + url: deploy-multiple-windows-defender-application-control-policies.md + - linkListType: how-to-guide + links: + - text: Create a WDAC policy for a lightly managed device + url: create-wdac-policy-for-lightly-managed-devices.md + - text: Create a WDAC policy for a fully managed device + url: create-wdac-policy-for-fully-managed-devices.md + - text: Create a WDAC policy for a fixed-workload + url: create-initial-default-policy.md + - text: Deploying catalog files for WDAC management + url: deploy-catalog-files-to-support-windows-defender-application-control.md + - text: Using the WDAC Wizard + url: wdac-wizard.md + #- linkListType: Tutorial (videos) + # links: + # - text: Using the WDAC Wizard + # url: video md + # - text: Specifying custom values + # url: video md + # Card + - title: Learn about Policy Configuration + linkLists: + - linkListType: overview + links: + - text: Understanding policy and file rules + url: select-types-of-rules-to-create.md + - linkListType: how-to-guide + links: + - text: Allow managed installer and configure managed installer rules + url: configure-authorized-apps-deployed-with-a-managed-installer.md + - text: Allow reputable apps with ISG + url: use-windows-defender-application-control-with-intelligent-security-graph.md + - text: Managed MSIX and Appx Packaged Apps + url: manage-packaged-apps-with-windows-defender-application-control.md + - text: Allow com object registration + url: allow-com-object-registration-in-windows-defender-application-control-policy.md + - text: Manage plug-ins, add-ins and modules + url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + # Card + - title: Learn how to deploy WDAC Policies + linkLists: + - linkListType: overview + links: + - text: Using signed policies to protect against tampering + url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - text: Audit and enforce policies + url: audit-and-enforce-windows-defender-application-control-policies.md + - text: Disabling WDAC policies + url: disable-windows-defender-application-control-policies.md + - linkListType: tutorial + links: + - text: Deployment with MDM + url: deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with MEMCM + url: deployment/deploy-wdac-policies-with-memcm.md + - text: Deployment with script and refresh policy + url: deployment/deploy-wdac-policies-with-script.md + - text: Deployment with Group Policy + url: deploy-windows-defender-application-control-policies-using-group-policy.md + # Card + - title: Learn how to monitor WDAC events + linkLists: + - linkListType: overview + links: + - text: Understanding event IDs + url: event-id-explanations.md + - text: Understanding event Tags + url: event-tag-explanations.md + - linkListType: how-to-guide + links: + - text: Querying events using advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 2d0ccf9451..5939c67fde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index f2561cb90c..1c0bf07bd4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index d9e8974465..53d81d3ab1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -27,7 +27,7 @@ ms.date: 08/23/2021 - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 56ff102873..4e5251d27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -26,17 +26,22 @@ ms.date: - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: -> [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (malware) or certificates used to sign malware +- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel + +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. + +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml @@ -59,6 +64,46 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -128,40 +173,148 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -174,22 +327,22 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - + + + + + + + - + - - - - - + @@ -225,7 +378,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -247,17 +400,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + @@ -288,6 +450,42 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -304,10 +502,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -315,118 +513,273 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - @@ -441,7 +794,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.19565.0 + 10.0.22417.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 3cd76bde2b..015e6b6e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -26,7 +26,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 0c319af7e6..bff9aace8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 403aab58d8..69855b69b3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index a4f3db57bd..024f7881f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index ce15020a22..e0abed5fef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index dae8561c9b..392ab9a072 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers guidelines for using code signing control classic Windows apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 73f07b3405..79b9e0a33c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 11d3f0df1e..224fa1dac5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. @@ -46,6 +46,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: - An internal CA code signing certificate or a purchased code signing certificate +> [!NOTE] +> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 22a1c3c03a..5ce6dec509 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index f1f66a910c..fae9be2b42 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 08/20/2018 +ms.date: 09/23/2021 ms.technology: mde --- @@ -31,10 +31,12 @@ Dynamic Code Security is not enabled by default because existing policies may no Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that. + To enable Dynamic Code Security, add the following option to the `` section of your policy: ```xml -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 22c3b5e232..d1f5ea9591 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index e8557445d0..37d3a19f84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b0f068d8b7..eb2d098d4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index f11d86f9a7..71046d7308 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index d696659c2a..754f399a47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:

        diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index 4cdeb72f21..3143fd1d5c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 40512b4dda..b3d650b5e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 57db67bee8..6617b5581c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 31c5d1fe8e..8d5d8dda4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index abe51d1188..9d17eb7f30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index ed1a7fe460..203ac733d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,36 +21,36 @@ ms.technology: mde **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 - -The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: +The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: - [Microsoft Account](https://account.microsoft.com/account/faq) - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +You can only configure these settings by using Group Policy. >[!IMPORTANT] >### Requirements > >You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Account protection**. -6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. +6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**. 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 544e90142e..acfa2cee01 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -11,17 +11,18 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # App and browser control **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 33a2c7d531..9f9932bc80 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 09/13/2021 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Customize the Windows Security app for your organization **Applies to** -- Windows 10, version 1709 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 13fce0f2d5..3672d5c25a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f4d3053cd9..8526440bc9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -10,17 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Device security **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 The **Device security** section contains information and settings for built-in device security. @@ -28,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 274c66bd66..a9e4a148c5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,8 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. @@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 3a14dc7c26..924bcd1150 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,10 +9,10 @@ ms.sitesec: library ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -20,8 +20,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 0a1389c07b..a58b61c3b1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 07/23/2020 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Hide Windows Security app notifications **Applies to** -- Windows 10, version 1809 and above - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 87960171d1..2d43e965ba 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -12,16 +12,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- - # Virus and threat protection **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 30cc06c3d0..7f3ef48df0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -22,19 +22,11 @@ ms.technology: mde - Windows 10 in S mode, version 1803 -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Microsoft Intune - Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index cb27db7bfd..7d0a3187b2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,14 +11,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # The Windows Security app **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 This library describes the Windows Security app, and provides information on configuring certain features, including: diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index efaa07fa4e..ca84e461a5 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -250,3 +250,5 @@ href: quarantine.md - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md +- name: Windows security + href: /windows/security/ diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md deleted file mode 100644 index 8e719f1364..0000000000 --- a/windows/security/threat-protection/windows-security-baselines.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Windows security baselines -description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise. -keywords: virtualization, security, malware -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 06/25/2018 -ms.reviewer: -ms.technology: mde ---- - -# Windows security baselines - -**Applies to** - -- Windows 10 -- Windows Server -- Microsoft 365 Apps for enterprise -- Microsoft Edge - -## Using security baselines in your organization - -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. - -Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. - -We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. - -Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions). - -## What are security baselines? - -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. - -## Why are security baselines needed? - -Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. - -For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting. - -In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups. - -## How can you use security baselines? - -You can use security baselines to: -- Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. - -## Where can I get the security baselines? - -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. - -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. - -[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) - -## Community - -[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) - -## Related Videos - -You may also be interested in this msdn channel 9 video: -- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO) - -## See Also - -- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) -- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) -- [Configuration Management for Nano Server](/archive/blogs/grouppolicy/configuration-management-on-servers/) -- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) -- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml deleted file mode 100644 index f7e0955409..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: security-compliance-toolkit-10.md - - name: Get support - href: get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index dc7c58f214..9b329ccb64 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: +- Windows 11 security baseline + - Windows 10 security baselines - Windows 10 Version 1909 (November 2019 Update) - Windows 10 Version 1903 (April 2019 Update) @@ -48,7 +50,7 @@ The Security Compliance Toolkit consists of: - Office 2016 - Microsoft Edge security baseline - - Edge Browser Version 80 + - Edge Browser Version 93 - Tools - Policy Analyzer tool diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 170918a4fa..435be7648b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -11,22 +11,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/25/2018 +ms.date: ms.reviewer: ms.technology: mde --- # Windows security baselines -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Office 2016 ## Using security baselines in your organization -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. @@ -56,12 +51,13 @@ You can use security baselines to: ## Where can I get the security baselines? -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. +There are several ways to get and use security baselines: -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. +1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) -[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) +2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. + +3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md). ## Community diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md new file mode 100644 index 0000000000..6792a8df14 --- /dev/null +++ b/windows/security/trusted-boot.md @@ -0,0 +1,40 @@ +--- +title: Secure Boot and Trusted Boot +description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/21/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: jsuther +f1.keywords: NOCSH +--- + +# Secure Boot and Trusted Boot + +*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* + +Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. + +## Secure Boot + +The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. + +## Trusted Boot + +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. + +Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. + +## See also + +[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md new file mode 100644 index 0000000000..1462084e1e --- /dev/null +++ b/windows/security/zero-trust-windows-device-health.md @@ -0,0 +1,71 @@ +--- +title: Zero Trust and Windows device health +description: Describes the process of Windows device health attestation +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Zero Trust and Windows device health +Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments. + +The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: + +- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. + +- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity. + +- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. + +The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources. + +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. + +Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. + +Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources. + +## Device health attestation on Windows + Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: + +- If the device can be trusted +- If the operating system booted correctly +- If the OS has the right set of security features enabled + +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with. + +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. + +A summary of the steps involved in attestation and Zero Trust on the device side are as follows: + +1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. + +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service. + +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). + +4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. + +5. The attestation service does the following: + + - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. + - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM. + - Verify that the security features are in the expected states. + +6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. + +7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. + +8. Conditional access, along with device-compliance state then decides to allow or deny access. + +## Other Resources + +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/). diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index a9ae9e12ba..b7b6b4220a 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -3,8 +3,8 @@ - name: Windows 11 expanded: true items: - - name: Windows 11 overview - href: windows-11.md + - name: What's new in Windows 11 + href: windows-11-whats-new.md - name: Windows 11 requirements href: windows-11-requirements.md - name: Plan for Windows 11 diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png b/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png new file mode 100644 index 0000000000..5ad38f511f Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png new file mode 100644 index 0000000000..3d018c0bda Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png new file mode 100644 index 0000000000..3014eebecf Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png new file mode 100644 index 0000000000..37f68c5e31 Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png new file mode 100644 index 0000000000..1f997e62f9 Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png b/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png new file mode 100644 index 0000000000..6e11e7df54 Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 375f946870..403244cfa4 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -27,8 +27,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows 11 overview - url: windows-11.md + - text: What's new + url: windows-11-whats-new.md - text: Windows 11 requirements url: windows-11-requirements.md - text: Plan for Windows 11 diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 48bf6b509b..2cc76a97e8 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -273,32 +273,6 @@ Learn about the new Group Policies that were added in Windows 10, version 1703. - [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) -## Windows 10 Mobile enhancements - -### Lockdown Designer - -The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml). - -![Lockdown Designer app in Store.](images/ldstore.png) - -[Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer) - -### Other enhancements - -Windows 10 Mobile, version 1703 also includes the following enhancements: - -- SD card encryption -- Remote PIN resets for Azure Active Directory accounts -- SMS text message archiving -- WiFi Direct management -- OTC update tool -- Continuum display management - - Individually turn off the monitor or phone screen when not in use - - individually adjust screen time-out settings -- Continuum docking solutions - - Set Ethernet port properties - - Set proxy properties for the Ethernet port - ## Miracast on existing wireless network or LAN In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb). diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 2aebecdb11..7841ae8015 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 08/18/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -39,7 +38,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. @@ -57,8 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] -> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
        -> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. +> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. ##### Unmanaged devices @@ -85,7 +83,7 @@ The introduction of Windows 11 is also a good time to review your hardware refre ## Servicing and support -Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. **Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index b301ed3de2..401e92c65f 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 09/03/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -36,25 +35,30 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. - If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1, but do not enable you to move between products (Windows 10 to Windows 11). +- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). + - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. + - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. + + > [!NOTE] + > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: @@ -113,9 +117,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End-user readiness +## User readiness -Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: +Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index d9aa505720..da34c4fa6e 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -2,7 +2,7 @@ title: Windows 11 requirements description: Hardware requirements to deploy Windows 11 ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro author: greg-lindsay ms.author: greglin @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 - Windows 11 -This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). +This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). ## Hardware requirements @@ -46,7 +46,7 @@ For information about tools to evaluate readiness, see [Determine eligibility](w ## Operating system requirements -For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. +For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 2004 or later. > [!NOTE] > S mode is only supported on the Home edition of Windows 11. @@ -80,6 +80,22 @@ Some features in Windows 11 have requirements beyond those listed above. See the - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. - **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +## Virtual machine support + +The following configuration requirements apply to VMs running Windows 11. + +- Generation: 2 \* +- Storage: 64 GB or greater +- Security: Secure Boot capable, virtual TPM enabled +- Memory: 4 GB or greater +- Processor: 2 or more virtual processors + +The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + +\* In-place upgrade of existing generation 1 VMs to Windows 11 is not possible. + +> [!NOTE] +> Procedures to configure required VM settings depend on the VM host type. For VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. ## Next steps @@ -89,5 +105,5 @@ Some features in Windows 11 have requirements beyond those listed above. See the ## See also [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
        -[Windows 11 overview](windows-11.md) +[What's new in Windows 11 overview](windows-11-whats-new.md) diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md new file mode 100644 index 0000000000..4eafe42218 --- /dev/null +++ b/windows/whats-new/windows-11-whats-new.md @@ -0,0 +1,219 @@ +--- +title: Windows 11, what's new and overview for administrators +description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. +ms.reviewer: +manager: dougeby +ms.audience: itpro +author: MandiOhlinger +ms.author: mandia +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: +--- + +# What's new in Windows 11 + +**Applies to**: + +- Windows 11 + +Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition and update to what you know, and what you're familiar with. + +It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment. + +Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Endpoint Manager. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices. + +This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows). + +## Security and scanning + +The security and privacy features in Windows 11 are similar to Windows 10. Security for your devices starts with the hardware, and includes OS security, application security, and user & identity security. There are features available in the Windows OS to help in these areas. This section describes some of these features. For a more comprehensive view, including zero trust, see [Windows security](/windows/security/). + +- The **Windows Security** app is built into the OS. This app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. + + For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). + +- **Security baselines** includes security settings that already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. + + For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). + +- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If your devices are managed with Endpoint Manager, you can create policies based on threat levels found in Microsoft Defender for Endpoint. + + For more information, see: + + - [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) + - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) + - [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) + +- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. + + For more information, see [Windows application security](/windows/security/apps). + +- **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices. + + As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Endpoint Manager work together to remove passwords, create more secure policies, and help enforce compliance. + + For more information, see: + + - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview) + - [Trusted Platform Module Technology Overview](/windows/security/information-protection/tpm/trusted-platform-module-overview) + - [Integrate Windows Hello for Business with Endpoint Manager](/mem/intune/protect/windows-hello) + +For more information on the security features you can configure, manage, and enforce using Endpoint Manager, see [Protect data and devices with Microsoft Endpoint Manager](/mem/intune/protect/device-protect). + +## Easier access to new services, and services you already use + +- **Windows 365** is a desktop operating system that's also a cloud service. From another internet-connected device, including Android and macOS devices, you can run Windows 365, just like a virtual machine. + + For more information, see [What is Windows 365 Enterprise?](/windows-365/overview). + +- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call: + + :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call."::: + + This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Endpoint Manager. For more information, see: + + - [Get started with Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started) + - [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365) + - [Install Microsoft Teams using Microsoft Endpoint Configuration Manager](/microsoftteams/msi-deployment) + + Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11). + +- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more. + + For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11). + + Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. + +## Customize the desktop experience + +- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app: + + :::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts."::: + + This feature allows users to customize the sizes of apps on their desktop. And, when you add other apps to the layout, the snapped layout stays in place. + + When you add your apps in a Snap Layout, that layout is saved in a Snap Group. In the taskbar, when you hover over an app in an existing snap layout, it shows all the apps in that layout. This feature is the Snap Group. You can select the group, and the apps are opened in the same layout. As you add more Snap Groups, you can switch between them just by selecting the Snap Group. + + Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241). + + You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu). + +- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more. + + Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11). + + Users can manage some Start menu features using the **Settings** app > **Personalization**. For more information on the end-user experience, see [See what's on the Start menu](https://support.microsoft.com/windows/see-what-s-on-the-start-menu-a8ccb400-ad49-962b-d2b1-93f453785a13). + +- **Taskbar**: You can also pin (and unpin) apps on the Taskbar. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more. + + Using policy, you can deploy your customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + + Users can manage some Taskbar features using the **Settings** app > **Personalization**. For more information on the end-user experience, see: + + - [Customize the taskbar notification area](https://support.microsoft.com/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3) + - [Pin apps and folders to the desktop or taskbar](https://support.microsoft.com/windows/pin-apps-and-folders-to-the-desktop-or-taskbar-f3c749fb-e298-4cf1-adda-7fd635df6bb0) + +- **Widgets**: Widgets are available on the Taskbar. It includes a personalized feed that could be weather, calendar, stock prices, news, and more: + + :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets."::: + + You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + + For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4). + +- **Virtual desktops**: On the Taskbar, you can select the Desktops icon to create a new desktop: + + :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png" alt-text="On the Windows 11 taskbar, select the desktop icon to create many virtual desktops."::: + + Use the desktop to open different apps depending on what you're doing. For example, you can create a Travel desktop that includes web sites and apps that are focused on travel. + + Using policy, you can deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + + Users can manage some desktop features using **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Multiple desktops in Windows](https://support.microsoft.com/windows/multiple-desktops-in-windows-11-36f52e38-5b4a-557b-2ff9-e1a60c976434). + +## Use your same apps, and new apps, improved + +- Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can download and install **Android™️ apps** from the Microsoft Store. This feature is called the **Windows Subsystem for Android**, and allows users to use Android apps on their Windows devices, similar to other apps installed from the Microsoft Store. + + Users open the Microsoft Store, install the **Amazon Appstore** app, and sign in with their Amazon account. When they sign in, they can search, download, and install Android apps. + + For more information, see: + + - [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48) + - [Windows Subsystem for Android developer information](/windows/android/wsa) + +- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues. + + You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10). + + In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in. + + Using an MDM provider, like Endpoint Manager, you can create policies that also manage some app settings. For a list of settings, see [App Store in Endpoint Manager](/mem/intune/configuration/device-restrictions-windows-10#app-store). + +- If you manage devices using Endpoint Manager, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11). + + For public and retail apps, continue using the Microsoft Store. + +- **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/). + + This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application: + + :::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands."::: + + If users or groups in your organization do a lot with Windows PowerShell or the command prompt, then use policy to add the Windows Terminal app to the [Start menu layout](/windows/configuration/customize-start-menu-layout-windows-11) or the [Taskbar](/windows/configuration/customize-taskbar-windows-11). + + Users can also search for the Terminal app, right-select the app, and pin the app to the Start menu and taskbar. + +- The **Microsoft Store** has a new look, and includes more public and retail apps. For more information on the end-user experience, see: + + - [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f) + - [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6) + +- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL. + + To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`. + + Using Group Policy or an MDM provider, such as Endpoint Manager, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge). + +## Deployment and servicing + +- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10. + + For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md). + + For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e). + +- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins. + + If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot). + +- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more. + + If you currently use Group Policy to manage your Windows 10 devices, you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects. + +- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels). + + Like Windows 10, Windows 11 will receive monthly quality updates. + + You have options to install updates on your Windows devices, including Endpoint Manager, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates). + + Some updates are large, and use bandwidth. Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. + + For more information, see [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization). + + For more information on the end-user experience, see: + + - [Installation & updates](https://support.microsoft.com/office/installation-updates-2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11) + - [Manage updates in Windows](https://support.microsoft.com/windows/manage-updates-in-windows-643e9ea7-3cf6-7da6-a25c-95d4f7f099fe) + +## Next steps + +- [Windows 11 requirements](windows-11-requirements.md) +- [Plan for Windows 11](windows-11-plan.md) +- [Prepare for Windows 11](windows-11-prepare.md) +- [Windows release health](https://aka.ms/windowsreleasehealth) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md deleted file mode 100644 index 77e2fa58a9..0000000000 --- a/windows/whats-new/windows-11.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Windows 11 overview -description: Overview of Windows 11 -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 overview - -**Applies to** - -- Windows 11 - -This article provides an introduction to Windows 11, and answers some frequently asked questions. - -Also see the following articles to learn more about Windows 11: - -- [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11. -- [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization. -- [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11. - -## Introduction - -Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. - -Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11. - -## How to get Windows 11 - -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. - -For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). - -For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. - -For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md). - -If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). - -If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds). - -## Before you begin - -The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11. - -#### Licensing - -There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices. - -Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade. - -#### Compatibility - -Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details. - -Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility). - -#### Familiar processes - -Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11. - -> [!IMPORTANT] -> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities. - -For more information, see [Prepare for Windows 11](windows-11-prepare.md). - -#### Servicing Windows 11 - -Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year. - -When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support). - -## Next steps - -[Windows 11 requirements](windows-11-requirements.md)
        -[Plan for Windows 11](windows-11-plan.md)
        -[Prepare for Windows 11](windows-11-prepare.md) - -## Also see - -[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
        -[Windows 11 Security — Our Hacker-in-Chief Runs Attacks and Shows Solutions](https://www.youtube.com/watch?v=2RTwGNyhSy8)
        -[Windows 11: The Optimization and Performance Improvements](https://www.youtube.com/watch?v=oIYHRRTCVy4)