deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into ADO-8880592-migrate-App-V

Browse Source
This commit is contained in:
Gary Moore 2024-05-20 21:35:01 -07:00 committed by GitHub
commit a1e63f9c9a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
24 changed files with 717 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/client-management/images/8908044-recall.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 MiB

83
windows/client-management/manage-recall.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Manage Recall for Windows clients
description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
ms.topic: conceptual
ms.subservice: windows-copilot
ms.date: 05/20/2024
ms.author: mstewart
author: mestew
ms.collection: windows-copilot
appliesto:
- ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
---
---
# Manage Recall
<!--8908044-->
>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
## System requirements
Recall has the following minimum system requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
- To enable Recall, you need at least 50 GB of space free
- Snapshot capture automatically pauses once the device has less than 25 GB of disk space
## Supported browsers
Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter InPrivate browsing activity. Supported browsers, and their capabilities include:
- **Microsoft Edge**: blocks websites and filters private browsing activity
- **Chromium based browsers**: filters private browsing activity only, doesn't block specific websites
## Configure policies for Recall
By default, Recall assists users by considering their historical behaviors and data. Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. The following policy allows you to disable user data analysis:
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off saving snapshots for Windows** |
## Limitations
In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
## User controlled settings for Recall
The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
- Website filtering
- App filtering
- Storage allocation
- When the storage limit is reached, the oldest snapshots are deleted first.
- Deleting snapshots
- Delete all snapshots
- Delete snapshots within a specific time frame
### Storage allocation
The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
| Device storage capacity | Storage allocation options for Recall |
|---|---|
| 256 GB | 25 GB (default), 10 GB |
| 512 GB | 75 GB (default), 50 GB, 25 GB |
| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
## Microsoft's commitment to responsible AI
Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).
Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and security for Recall & screenray](https://support.microsoft.com/windows/recall-and-your-data-d404f672-7647-41e5-886c-a3c59680af15).

28
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -1,7 +1,7 @@
---
title: LanguagePackManagement CSP
description: Learn more about the LanguagePackManagement CSP.
ms.date: 01/18/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -41,7 +41,7 @@ The following list shows the LanguagePackManagement configuration service provid
<!-- Device-Install-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-Applicability-End -->
<!-- Device-Install-OmaUri-Begin -->
@ -80,7 +80,7 @@ Language to be installed or being installed.
<!-- Device-Install-{Language ID}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-Applicability-End -->
<!-- Device-Install-{Language ID}-OmaUri-Begin -->
@ -120,7 +120,7 @@ Language tag of the language to be installed or being installed.
<!-- Device-Install-{Language ID}-CopyToDeviceInternationalSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-CopyToDeviceInternationalSettings-Applicability-End -->
<!-- Device-Install-{Language ID}-CopyToDeviceInternationalSettings-OmaUri-Begin -->
@ -169,7 +169,7 @@ Copies the language to the international settings (that is, locale, input layout
<!-- Device-Install-{Language ID}-EnableLanguageFeatureInstallations-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-EnableLanguageFeatureInstallations-Applicability-End -->
<!-- Device-Install-{Language ID}-EnableLanguageFeatureInstallations-OmaUri-Begin -->
@ -218,7 +218,7 @@ Enables installations of all available language features when the value is true.
<!-- Device-Install-{Language ID}-ErrorCode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-ErrorCode-Applicability-End -->
<!-- Device-Install-{Language ID}-ErrorCode-OmaUri-Begin -->
@ -257,7 +257,7 @@ Error code of queued language installation. 0 if there is no error.
<!-- Device-Install-{Language ID}-StartInstallation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-StartInstallation-Applicability-End -->
<!-- Device-Install-{Language ID}-StartInstallation-OmaUri-Begin -->
@ -296,7 +296,7 @@ Execution node to queue a language for installation on the device.
<!-- Device-Install-{Language ID}-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Install-{Language ID}-Status-Applicability-End -->
<!-- Device-Install-{Language ID}-Status-OmaUri-Begin -->
@ -335,7 +335,7 @@ Status of the language queued for install. 0 - not started; 1 - in progress; 2 -
<!-- Device-InstalledLanguages-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-InstalledLanguages-Applicability-End -->
<!-- Device-InstalledLanguages-OmaUri-Begin -->
@ -374,7 +374,7 @@ Languages currently installed on the device.
<!-- Device-InstalledLanguages-{Language ID}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-InstalledLanguages-{Language ID}-Applicability-End -->
<!-- Device-InstalledLanguages-{Language ID}-OmaUri-Begin -->
@ -414,7 +414,7 @@ Language tag of an installed language on the device. Delete to uninstall.
<!-- Device-InstalledLanguages-{Language ID}-LanguageFeatures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-InstalledLanguages-{Language ID}-LanguageFeatures-Applicability-End -->
<!-- Device-InstalledLanguages-{Language ID}-LanguageFeatures-OmaUri-Begin -->
@ -453,7 +453,7 @@ Numeric representation of the language features installed. Basic Typing - 1 (0x1
<!-- Device-InstalledLanguages-{Language ID}-Providers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-InstalledLanguages-{Language ID}-Providers-Applicability-End -->
<!-- Device-InstalledLanguages-{Language ID}-Providers-OmaUri-Begin -->
@ -492,7 +492,7 @@ Numeric representation of how a language is installed. 1 - The system language p
<!-- Device-LanguageSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-LanguageSettings-Applicability-End -->
<!-- Device-LanguageSettings-OmaUri-Begin -->
@ -531,7 +531,7 @@ Language settings of the device.
<!-- Device-LanguageSettings-SystemPreferredUILanguages-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-LanguageSettings-SystemPreferredUILanguages-Applicability-End -->
<!-- Device-LanguageSettings-SystemPreferredUILanguages-OmaUri-Begin -->

205
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 01/31/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -53,6 +53,8 @@ The following list shows the Defender configuration service provider nodes:
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled)
- [DisableCacheMaintenance](#configurationdisablecachemaintenance)
- [DisableCoreServiceECSIntegration](#configurationdisablecoreserviceecsintegration)
- [DisableCoreServiceTelemetry](#configurationdisablecoreservicetelemetry)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
@ -71,6 +73,8 @@ The following list shows the Defender configuration service provider nodes:
- [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock)
- [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EnableUdpReceiveOffload](#configurationenableudpreceiveoffload)
- [EnableUdpSegmentationOffload](#configurationenableudpsegmentationoffload)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
- [ExcludedIpAddresses](#configurationexcludedipaddresses)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
@ -1585,6 +1589,104 @@ Defines whether the cache maintenance idle task will perform the cache maintenan
<!-- Device-Configuration-DisableCacheMaintenance-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Begin -->
### Configuration/DisableCoreServiceECSIntegration
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Applicability-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceECSIntegration
```
<!-- Device-Configuration-DisableCoreServiceECSIntegration-OmaUri-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Description-Begin -->
<!-- Description-Source-DDF -->
Turn off ECS integration for Defender core service.
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Description-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Editable-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0x0 |
<!-- Device-Configuration-DisableCoreServiceECSIntegration-DFProperties-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-AllowedValues-Begin -->
**Allowed values**:
| Flag | Description |
|:--|:--|
| 0x0 (Default) | The Defender core service will use the Experimentation and Configuration Service (ECS) to rapidly deliver critical, org-specific fixes. |
| 0x1 | The Defender core service stops using the Experimentation and Configuration Service (ECS). Fixes will continue to be delivered through security intelligence updates. |
<!-- Device-Configuration-DisableCoreServiceECSIntegration-AllowedValues-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-Examples-End -->
<!-- Device-Configuration-DisableCoreServiceECSIntegration-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Begin -->
### Configuration/DisableCoreServiceTelemetry
<!-- Device-Configuration-DisableCoreServiceTelemetry-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DisableCoreServiceTelemetry-Applicability-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceTelemetry
```
<!-- Device-Configuration-DisableCoreServiceTelemetry-OmaUri-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Description-Begin -->
<!-- Description-Source-DDF -->
Turn off OneDsCollector telemetry for Defender core service.
<!-- Device-Configuration-DisableCoreServiceTelemetry-Description-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Editable-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0x0 |
<!-- Device-Configuration-DisableCoreServiceTelemetry-DFProperties-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-AllowedValues-Begin -->
**Allowed values**:
| Flag | Description |
|:--|:--|
| 0x0 (Default) | The Defender core service will use the OneDsCollector framework to rapidly collect telemetry. |
| 0x1 | The Defender core service stops using the OneDsCollector framework to rapidly collect telemetry, impacting Microsoft's ability to quickly recognize and address poor performance, false positives, and other problems. |
<!-- Device-Configuration-DisableCoreServiceTelemetry-AllowedValues-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-Examples-End -->
<!-- Device-Configuration-DisableCoreServiceTelemetry-End -->
<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin -->
### Configuration/DisableCpuThrottleOnIdleScans
@ -2372,6 +2474,9 @@ This setting controls whether network protection blocks network traffic instead
<!-- Device-Configuration-EnableDnsSinkhole-Begin -->
### Configuration/EnableDnsSinkhole
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- Device-Configuration-EnableDnsSinkhole-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
@ -2467,6 +2572,104 @@ Enables or disables file hash computation feature. When this feature is enabled
<!-- Device-Configuration-EnableFileHashComputation-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Begin -->
### Configuration/EnableUdpReceiveOffload
<!-- Device-Configuration-EnableUdpReceiveOffload-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-EnableUdpReceiveOffload-Applicability-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/EnableUdpReceiveOffload
```
<!-- Device-Configuration-EnableUdpReceiveOffload-OmaUri-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Description-Begin -->
<!-- Description-Source-DDF -->
This setting enables Udp Receive Offload Network Protection.
<!-- Device-Configuration-EnableUdpReceiveOffload-Description-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Editable-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-EnableUdpReceiveOffload-DFProperties-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Udp Receive Offload is disabled. |
| 1 | Udp Receive Offload is enabled. |
<!-- Device-Configuration-EnableUdpReceiveOffload-AllowedValues-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-EnableUdpReceiveOffload-Examples-End -->
<!-- Device-Configuration-EnableUdpReceiveOffload-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Begin -->
### Configuration/EnableUdpSegmentationOffload
<!-- Device-Configuration-EnableUdpSegmentationOffload-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-EnableUdpSegmentationOffload-Applicability-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/EnableUdpSegmentationOffload
```
<!-- Device-Configuration-EnableUdpSegmentationOffload-OmaUri-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Description-Begin -->
<!-- Description-Source-DDF -->
This setting enables Udp Segmentation Offload Network Protection.
<!-- Device-Configuration-EnableUdpSegmentationOffload-Description-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Editable-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-EnableUdpSegmentationOffload-DFProperties-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Udp Segmentation Offload is disabled. |
| 1 | Udp Segmentation Offload is enabled. |
<!-- Device-Configuration-EnableUdpSegmentationOffload-AllowedValues-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-Examples-End -->
<!-- Device-Configuration-EnableUdpSegmentationOffload-End -->
<!-- Device-Configuration-EngineUpdatesChannel-Begin -->
### Configuration/EngineUpdatesChannel

159
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 01/31/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -1755,6 +1755,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:ValueDescription>DNS Sinkhole is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:Deprecated OsBuildDeprecated="10.0.14393" />
</DFProperties>
</Node>
<Node>
@ -2721,6 +2722,84 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCoreServiceECSIntegration</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0x0</DefaultValue>
<Description>Turn off ECS integration for Defender core service</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x0</MSFT:Value>
<MSFT:ValueDescription>The Defender core service will use the Experimentation and Configuration Service (ECS) to rapidly deliver critical, org-specific fixes.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>
<MSFT:ValueDescription>The Defender core service stops using the Experimentation and Configuration Service (ECS). Fixes will continue to be delivered through security intelligence updates.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCoreServiceTelemetry</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0x0</DefaultValue>
<Description>Turn off OneDsCollector telemetry for Defender core service</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x0</MSFT:Value>
<MSFT:ValueDescription>The Defender core service will use the OneDsCollector framework to rapidly collect telemetry.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>
<MSFT:ValueDescription>The Defender core service stops using the OneDsCollector framework to rapidly collect telemetry, impacting Microsoft's ability to quickly recognize and address poor performance, false positives, and other problems.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>IntelTDTEnabled</NodeName>
<DFProperties>
@ -2881,6 +2960,84 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableUdpSegmentationOffload</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting enables Udp Segmentation Offload Network Protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Udp Segmentation Offload is disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Udp Segmentation Offload is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableUdpReceiveOffload</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting enables Udp Receive Offload Network Protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Udp Receive Offload is disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Udp Receive Offload is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSwitchToAsyncInspection</NodeName>
<DFProperties>

6
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseDesktopAppManagement CSP
description: Learn more about the EnterpriseDesktopAppManagement CSP.
ms.date: 01/18/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -172,7 +172,7 @@ For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-sche
| Property name | Property value |
|:--|:--|
| Format | `xml` |
| Access Type | Add, Delete, Exec, Get |
| Access Type | Add, Delete, Exec, Get, Replace |
<!-- Device-MSI-{ProductID}-DownloadInstall-DFProperties-End -->
<!-- Device-MSI-{ProductID}-DownloadInstall-Examples-Begin -->
@ -695,7 +695,7 @@ For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-sche
| Property name | Property value |
|:--|:--|
| Format | `xml` |
| Access Type | Add, Delete, Exec, Get |
| Access Type | Add, Delete, Exec, Get, Replace |
<!-- User-MSI-{ProductID}-DownloadInstall-DFProperties-End -->
<!-- User-MSI-{ProductID}-DownloadInstall-Examples-Begin -->

4
windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseDesktopAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
ms.date: 04/10/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -225,6 +225,7 @@ The following XML file contains the device description framework (DDF) for the E
<Delete />
<Exec />
<Get />
<Replace />
</AccessType>
<Description><![CDATA[Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag <DownloadFromAad> was added to the <Enforcement> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]></Description>
<DFFormat>
@ -585,6 +586,7 @@ The following XML file contains the device description framework (DDF) for the E
<Delete />
<Exec />
<Get />
<Replace />
</AccessType>
<Description><![CDATA[Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag <DownloadFromAad> was added to the <Enforcement> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]></Description>
<DFFormat>

14
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 01/31/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -432,7 +432,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
@ -488,7 +488,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
@ -543,7 +543,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
@ -587,7 +587,7 @@ If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
@ -643,7 +643,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
@ -759,7 +759,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->

4
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
ms.date: 04/23/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -871,6 +871,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## WindowsAI
- [TurnOffWindowsCopilot](policy-csp-windowsai.md)
- [DisableAIDataAnalysis](policy-csp-windowsai.md)
- [AllowImageCreator](policy-csp-windowsai.md)
## WindowsDefenderSecurityCenter

8
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -7718,7 +7718,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
<!-- IntranetZoneLogonOptions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later <br> ✅ Windows 10, version 2004 [10.0.19041.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2792] and later <br>Windows Insider Preview [10.0.25398.643] |
<!-- IntranetZoneLogonOptions-Applicability-End -->
<!-- IntranetZoneLogonOptions-OmaUri-Begin -->
@ -8793,7 +8793,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
<!-- LocalMachineZoneLogonOptions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later <br> ✅ Windows 10, version 2004 [10.0.19041.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2792] and later <br>Windows Insider Preview [10.0.25398.643] |
<!-- LocalMachineZoneLogonOptions-Applicability-End -->
<!-- LocalMachineZoneLogonOptions-OmaUri-Begin -->
@ -17364,7 +17364,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
<!-- TrustedSitesZoneLogonOptions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later <br> ✅ Windows 10, version 2004 [10.0.19041.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2792] and later <br>Windows Insider Preview [10.0.25398.643] |
<!-- TrustedSitesZoneLogonOptions-Applicability-End -->
<!-- TrustedSitesZoneLogonOptions-OmaUri-Begin -->

9
windows/client-management/mdm/policy-csp-settings.md
View File

@ -1,7 +1,7 @@
---
title: Settings Policy CSP
description: Learn more about the Settings Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -169,10 +169,13 @@ Allows the user to change date and time settings.
<!-- AllowEditDeviceName-Begin -->
## AllowEditDeviceName
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- AllowEditDeviceName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | Not applicable | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- AllowEditDeviceName-Applicability-End -->
<!-- AllowEditDeviceName-OmaUri-Begin -->
@ -183,7 +186,7 @@ Allows the user to change date and time settings.
<!-- AllowEditDeviceName-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the user to edit the device name.
This policy is deprecated.
<!-- AllowEditDeviceName-Description-End -->
<!-- AllowEditDeviceName-Editable-Begin -->

128
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 04/23/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,10 +9,136 @@ ms.date: 04/23/2024
<!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- AllowImageCreator-Begin -->
## AllowImageCreator
<!-- AllowImageCreator-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowImageCreator-Applicability-End -->
<!-- AllowImageCreator-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowImageCreator
```
<!-- AllowImageCreator-OmaUri-End -->
<!-- AllowImageCreator-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether Image Creator functionality is available in the Windows Paint app.
- If you disable this policy setting, Image Creator functionality won't be accessible in the Windows Paint app.
- If you enable or don't configure this policy setting, users will be able to access Image Creator functionality.
<!-- AllowImageCreator-Description-End -->
<!-- AllowImageCreator-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowImageCreator-Editable-End -->
<!-- AllowImageCreator-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowImageCreator-DFProperties-End -->
<!-- AllowImageCreator-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disabled. |
| 1 (Default) | Enabled. |
<!-- AllowImageCreator-AllowedValues-End -->
<!-- AllowImageCreator-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowImageCreator |
| Path | WindowsAI > AT > WindowsComponents > Paint |
<!-- AllowImageCreator-GpMapping-End -->
<!-- AllowImageCreator-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowImageCreator-Examples-End -->
<!-- AllowImageCreator-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Editable-End -->
<!-- DisableAIDataAnalysis-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableAIDataAnalysis-DFProperties-End -->
<!-- DisableAIDataAnalysis-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enable saving Snapshots for Windows. |
| 1 | Disable saving Snapshots for Windows. |
<!-- DisableAIDataAnalysis-AllowedValues-End -->
<!-- DisableAIDataAnalysis-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Examples-End -->
<!-- DisableAIDataAnalysis-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

4
windows/client-management/mdm/surfacehub-csp.md
View File

@ -1,7 +1,7 @@
---
title: SurfaceHub CSP
description: Learn more about the SurfaceHub CSP.
ms.date: 04/22/2024
ms.date: 05/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -358,7 +358,7 @@ Possible error values:
<!-- Device-DeviceAccount-ExchangeModernAuthEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.789] and later <br> ✅ Windows 10, version 2009 [10.0.19042.789] and later <br> ✅ Windows Insider Preview [99.9.9999] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.789] and later <br> ✅ Windows 10, version 2009 [10.0.19042.789] and later <br> ✅ Windows Insider Preview |
<!-- Device-DeviceAccount-ExchangeModernAuthEnabled-Applicability-End -->
<!-- Device-DeviceAccount-ExchangeModernAuthEnabled-OmaUri-Begin -->

4
windows/deployment/TOC.yml
View File

@ -112,6 +112,8 @@
href: update/waas-manage-updates-wsus.md
- name: Deploy updates with Group Policy
href: update/waas-wufb-group-policy.md
- name: Deploy updates using CSPs and MDM
href: update/waas-wufb-csp-mdm.md
- name: Update Windows client media with Dynamic Update
href: update/media-dynamic-update.md
- name: Migrating and acquiring optional Windows content
@ -138,6 +140,8 @@
href: update/waas-integrate-wufb.md
- name: 'Walkthrough: use Group Policy to configure Windows Update for Business'
href: update/waas-wufb-group-policy.md
- name: Deploy updates using CSPs and MDM
href: update/waas-wufb-csp-mdm.md
- name: Windows Update for Business deployment service
items:
- name: Windows Update for Business deployment service overview

4
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/07/2023
ms.date: 05/16/2024
---
# What is Windows Update for Business?
@ -112,7 +112,7 @@ Windows Update for Business provides controls to help meet your organization's s
#### Recommended experience settings
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
Features like active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
1. Use the default notifications.

88
windows/deployment/update/waas-wufb-csp-mdm.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 01/18/2024
ms.date: 05/16/2024
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@ -39,9 +39,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#allowmuupdateservice).
Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate).
We also recommend that you allow Microsoft product updates as discussed previously.
@ -51,20 +51,20 @@ Drivers are automatically enabled because they're beneficial to device systems.
1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#managepreviewbuilds). Set the option to **Enable preview builds**.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
- To defer a quality update: [Update/DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays)
- To pause a quality update: [Update/PauseQualityUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausequalityupdatesstarttime)
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#pausefeatureupdatesstarttime)
- To defer a quality update: [Update/DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#deferqualityupdatesperiodindays)
- To pause a quality update: [Update/PauseQualityUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#pausequalityupdatesstarttime)
#### Example
@ -103,42 +103,42 @@ Now all devices are paused from updating for 35 days. When the pause is removed,
#### I want to stay on a specific version
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](/windows/release-health/release-information).
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](/windows/release-health/release-information).
### Manage how users experience updates
#### I want to manage when devices download, install, and restart after updates
We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart).
It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime)
When you set these policies, installation happens automatically at the specified time and the device will restart 15 minutes after installation is complete (unless it's interrupted by the user).
If you don't want to allow any automatic updates prior to the deadline, set [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) to Option 5, which turns off automatic updates.
If you don't want to allow any automatic updates prior to the deadline, set [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) to Option 5, which turns off automatic updates.
#### I want to keep devices secure and compliant with update deadlines
We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautoreboot)
These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
@ -168,11 +168,37 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
#### <a name="user-settings-for-notifications"></a> End user settings for notifications
<!--8936877-->
*Applies to:*
- Windows 11, version 23H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
- Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
Users can set a preference for notifications about pending restarts for updates under **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating**. This setting is end-user controlled and not controlled or configurable by IT administrators.
Users have the following options for the **Notify me when a restart is required to finish updating** setting:
- **Off** (default): Once the device enters a pending reboot state for updates, restart notifications are suppressed for 24 hours. During the first 24 hours, automatic restarts can still occur outside of active hours. Typically, users receive fewer notifications about upcoming restarts while the deadline is approaching.
- When the deadline is set for 1 day, users only receive a notification about the deadline and a final nondismissable notification 15 minutes before a forced restart.
- **On**: Users immediately receive a toast notification when the device enters a reboot pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare for a restart. After 24 hours have passed, automatic restarts can occur. This setting is recommended for users who want to be notified about upcoming restarts.
- When the deadline is set for 1 day, an initial notification occurs, automatic restart is blocked for 24 hours, and users receive another notification before the deadline and a final nondismissable notification 15 minutes before a forced restart.
When a deadline is set for 0 days, no matter which option is selected, the only notification users receive is a final nondismissable notification 15 minutes before a forced restart.
The user preference for notifications applies when the following policies for [compliance deadlines](wufb-compliancedeadlines.md) are used:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates (Windows 11, version 22H2 or later)](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
#### I want to manage the notifications a user sees
There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#NoUpdateNotificationsDuringActiveHours) policy with these values:
**0** (default) - Use the default Windows Update notifications<br/>
**1** - Turn off all notifications, excluding restart warnings<br/>
@ -181,16 +207,18 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#setdisablepauseuxaccess).
When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#setdisableuxwuaccess).
#### I want to enable features introduced via servicing that are off by default
<!--6544872-->

26
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -17,7 +17,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
ms.date: 02/27/2024
ms.date: 05/16/2024
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@ -132,7 +132,7 @@ When you set the target version policy, if you specify a feature update version
#### I want to manage when devices download, install, and restart after updates
We recommend that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
We recommend that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours.
For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**.
@ -174,6 +174,28 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
#### <a name="user-settings-for-notifications"></a> End user settings for notifications
<!--8936877-->
*Applies to:*
- Windows 11, version 23H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
- Windows 11, version 22H2 with [KB5037771](https://support.microsoft.com/help/5037771) or later
Users can set a preference for notifications about pending restarts for updates under **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating**. This setting is end-user controlled and not controlled or configurable by IT administrators.
Users have the following options for the **Notify me when a restart is required to finish updating** setting:
- **Off** (default): Once the device enters a pending reboot state for updates, restart notifications are suppressed for 24 hours. During the first 24 hours, automatic restarts can still occur outside of active hours. Typically, users receive fewer notifications about upcoming restarts while the deadline is approaching.
- When the deadline is set for 1 day, users only receive a notification about the deadline and a final nondismissable notification 15 minutes before a forced restart.
- **On**: Users immediately receive a toast notification when the device enters a reboot pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare for a restart. After 24 hours have passed, automatic restarts can occur. This setting is recommended for users who want to be notified about upcoming restarts.
- When the deadline is set for 1 day, an initial notification occurs, automatic restart is blocked for 24 hours, and users receive another notification before the deadline and a final nondismissable notification 15 minutes before a forced restart.
When a deadline is set for 0 days, no matter which option is selected, the only notification users receive is a final nondismissable notification 15 minutes before a forced restart.
The user preference for notifications applies when [compliance deadlines](wufb-compliancedeadlines.md) are used. The policy for compliance deadlines is under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify deadlines for automatic updates and restarts**.
#### I want to manage the notifications a user sees
There are additional settings that affect the notifications.

3
windows/deployment/update/wufb-compliancedeadlines.md
View File

@ -12,7 +12,7 @@ manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/10/2023
ms.date: 05/16/2024
---
# Enforcing compliance deadlines for updates
@ -46,6 +46,7 @@ The deadline calculation for both quality and feature updates is based off the t
The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
> [!NOTE]
> - When these policies are used, [user settings for notifications](waas-wufb-csp-mdm.md#user-settings-for-notifications) are also used on clients running Windows 11, version 22H2 and later.
> - When **Specify deadlines for automatic updates and restarts** is used, updates will be downloaded and installed as soon as they are offered.
> - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.

4
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -95,11 +95,11 @@ sections:
- question: What happens if there's an issue with an update?
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
- Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
- Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release).
- Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
- question: Can I permanently pause a Windows feature update deployment?
answer: |
Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).
Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release).
- question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates?
answer: |
For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.

1
windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
View File

@ -21,7 +21,6 @@ If you don't currently have a code signing certificate you can use to sign your
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).

2
windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
View File

@ -34,7 +34,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |

13
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -1,7 +1,7 @@
---
title: Plan a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
ms.date: 03/12/2024
ms.date: 05/16/2024
ms.topic: concept-article
---
@ -151,14 +151,16 @@ The goal of Windows Hello for Business is to move organizations away from passwo
|| Deployment model | MFA options |
|--|--|--|
| **🔲** | **Cloud-only** | Microsoft Entra MFA |
| **🔲** | **Cloud-only** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation |
| **🔲** | **Cloud-only** | Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation |
| **🔲** | **Hybrid** | Microsoft Entra MFA |
| **🔲** | **Hybrid** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation|
| **🔲** | **Hybrid** | Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation|
| **🔲** | **On-premises** | AD FS MFA adapter |
For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
For more information:
For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
- [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]
- [Configure Azure MFA as authentication provider with AD FS][SER-1]
- [Manage an external authentication method in Microsoft Entra ID][ENTRA-11]
#### MFA and federated authentication
@ -298,6 +300,7 @@ Now that you've read about the different deployment options and requirements, yo
[ENTRA-8]: /entra/identity/conditional-access/overview
[ENTRA-9]: /entra/identity/authentication/concept-mfa-licensing
[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
[ENTRA-11]: /entra/identity/authentication/how-to-authentication-external-method-manage
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods