diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b15fa65bb2..81696cd310 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -79,6 +79,11 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": true }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 9d150d9583..31da1afc51 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -39,53 +39,53 @@ You can list all provisioned Windows apps with this PowerShell command: Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName ``` -Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909. +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. -| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | x | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | +| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index bc6f44d66e..f25c37dce5 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,13 +22,10 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) -> [!TIP] -> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) - ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. @@ -37,36 +34,39 @@ From its release, Windows 10 has supported remote connections to PCs joined to A Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. - On the PC you want to connect to: + 1. Open system properties for the remote PC. + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group. - > [!NOTE] - > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: - > ```PowerShell - > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - > ``` - > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example: - > - for cloud only user: "There is no such global user or group : *name*" - > - for synced user: "There is no such global user or group : *name*"
- > - > In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + > [!NOTE] + > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: + > ```powershell + > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + > ``` + > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. + > + > This command only works for AADJ device users already added to any of the local groups (administrators). + > Otherwise this command throws the below error. For example: + > - for cloud only user: "There is no such global user or group : *name*" + > - for synced user: "There is no such global user or group : *name*"
+ + > [!NOTE] + > In Windows 10, version 1709, the user does not have to sign in to the remote device first. + > + > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + + 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. - 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. - -> [!Note] -> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + > [!Note] + > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b2a9fbbcf1..adc08ab268 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -208,6 +208,19 @@ #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +#### [ADMX_Smartcard](policy-csp-admx-smartcard.md) +#### [ADMX_Snmp](policy-csp-admx-snmp.md) +#### [ADMX_tcpip](policy-csp-admx-tcpip.md) +#### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) +#### [ADMX_TPM](policy-csp-admx-tpm.md) +#### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_W32Time](policy-csp-admx-w32time.md) +#### [ADMX_WinCal](policy-csp-admx-wincal.md) +#### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) +#### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +#### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) +#### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WinInit](policy-csp-admx-wininit.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) @@ -254,6 +267,7 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) @@ -294,6 +308,7 @@ #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) #### [WindowsLogon](policy-csp-windowslogon.md) #### [WindowsPowerShell](policy-csp-windowspowershell.md) +#### [WindowsSandbox](policy-csp-windowssandbox.md) #### [WirelessDisplay](policy-csp-wirelessdisplay.md) ### [PolicyManager CSP](policymanager-csp.md) ### [Provisioning CSP](provisioning-csp.md) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 8e84d077d5..b511fd100f 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -165,7 +165,10 @@ The following image illustrates how MDM applications will show up in the Azure a ### Add cloud-based MDM to the app gallery -You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. +> [!NOTE] +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application + +The following table shows the required information to create an entry in the Azure AD app gallery. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1fae08c646..bf8a5ea5ad 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate

Value type is string. Supported operations are Add, Get, Replace, and Delete.

**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include:

+

Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

+ + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. + +In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. + +If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: + +- Certificates with no EKU +- Certificates with an All Purpose EKU +- Certificates with a Client Authentication EKU + +If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow certificates with no extended key usage certificate attribute* +- GP name: *AllowCertificatesWithNoEKU* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/AllowIntegratedUnblock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). + +In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. + +If you enable this policy setting, the integrated unblock feature will be available. + +If you disable or do not configure this policy setting then the integrated unblock feature will not be available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Integrated Unblock screen to be displayed at the time of logon* +- GP name: *AllowIntegratedUnblock* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/AllowSignatureOnlyKeys** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. + +If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. + +If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow signature keys valid for Logon* +- GP name: *AllowSignatureOnlyKeys* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/AllowTimeInvalidCertificates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. + +Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. + +If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired. + +If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow time invalid certificates* +- GP name: *AllowTimeInvalidCertificates* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/CertPropEnabledString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. + +If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. + +If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on certificate propagation from smart card* +- GP name: *CertPropEnabledString* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/CertPropRootCleanupString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure root certificate clean up* +- GP name: *CertPropRootCleanupString* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/CertPropRootEnabledString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. + +If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. + +> [!NOTE] +> For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card. + +If you disable this policy setting then root certificates will not be propagated from the smart card. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on root certificate propagation from smart card* +- GP name: *CertPropRootEnabledString* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/DisallowPlaintextPin** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents plaintext PINs from being returned by Credential Manager. + +If you enable this policy setting, Credential Manager does not return a plaintext PIN. + +If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. + +> [!NOTE] +> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent plaintext PINs from being returned by Credential Manager* +- GP name: *DisallowPlaintextPin* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/EnumerateECCCerts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. + +If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. + +If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain. + +> [!NOTE] +> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. +> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow ECC certificates to be used for logon and authentication* +- GP name: *EnumerateECCCerts* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/FilterDuplicateCerts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you configure if all your valid logon certificates are displayed. + +During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). + +If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown. + +> [!NOTE] +> This setting will be applied after the following policy: "Allow time invalid certificates" + +If you enable or do not configure this policy setting, filtering will take place. + +If you disable this policy setting, no filtering will take place. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Filter duplicate logon certificates* +- GP name: *FilterDuplicateCerts* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/ForceReadingAllCertificates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the reading of all certificates from the smart card for logon. + +During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. + +If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. + +If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force the reading of all certificates from the smart card* +- GP name: *ForceReadingAllCertificates* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/IntegratedUnblockPromptString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the displayed message when a smart card is blocked. + +If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. + +> [!NOTE] +> The following policy setting must be enabled: Allow Integrated Unblock screen to be displayed at the time of logon. + +If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display string when smart card is blocked* +- GP name: *IntegratedUnblockPromptString* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/ReverseSubject** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. + +By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. + +If you enable this policy setting or do not configure this setting, then the subject name will be reversed. + +If you disable, the subject name will be displayed as it appears in the certificate. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Reverse the subject name stored in a certificate when displaying* +- GP name: *ReverseSubject* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/SCPnPEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether Smart Card Plug and Play is enabled. + +If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. + +If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader. + +> [!NOTE] +> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Smart Card Plug and Play service* +- GP name: *SCPnPEnabled* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/SCPnPNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. + +If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. + +If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed. + +> [!NOTE] +> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Notify user of successful smart card driver installation* +- GP name: *SCPnPNotification* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ + +**ADMX_Smartcard/X509HintsNeeded** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. + +If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. + +If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow user name hint* +- GP name: *X509HintsNeeded* +- GP path: *Windows Components\Smart Card* +- GP ADMX file name: *Smartcard.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md new file mode 100644 index 0000000000..2a83f8346c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -0,0 +1,290 @@ +--- +title: Policy CSP - ADMX_Snmp +description: Policy CSP - ADMX_Snmp +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/24/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Snmp +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Snmp policies + +
+
+ ADMX_Snmp/SNMP_Communities +
+
+ ADMX_Snmp/SNMP_PermittedManagers +
+
+ ADMX_Snmp/SNMP_Traps_Public +
+
+ + +
+ + +**ADMX_Snmp/SNMP_Communities** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. + +SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. + +A valid community is a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations, hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from the network. + +If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. + +If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. + +Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control. + +> [!NOTE] +> - It is good practice to use a cryptic community name. +> - This policy setting has no effect if the SNMP agent is not installed on the client computer. + +Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration". + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify communities* +- GP name: *SNMP_Communities* +- GP path: *Network\SNMP* +- GP ADMX file name: *Snmp.admx* + + + +
+ + +**ADMX_Snmp/SNMP_PermittedManagers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. + +Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. + +The manager is located on the host computer on the network. The manager's role is to poll the agents for certain requested information. + +If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. + +If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. + +Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control. + +> [!NOTE] +> This policy setting has no effect if the SNMP agent is not installed on the client computer. + +Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name". + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify permitted managers* +- GP name: *SNMP_PermittedManagers* +- GP path: *Network\SNMP* +- GP ADMX file name: *Snmp.admx* + + + +
+ + +**ADMX_Snmp/SNMP_Traps_Public** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. + +Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. + +This policy setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchronously. + +If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. + +If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. + +> [!NOTE] +> This setting has no effect if the SNMP agent is not installed on the client computer. + +Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name". + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify traps for public community* +- GP name: *SNMP_Traps_Public* +- GP path: *Network\SNMP* +- GP ADMX file name: *Snmp.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md new file mode 100644 index 0000000000..b43d4d2011 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -0,0 +1,1011 @@ +--- +title: Policy CSP - ADMX_tcpip +description: Policy CSP - ADMX_tcpip +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_tcpip +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_tcpip policies + +
+
+ ADMX_tcpip/6to4_Router_Name +
+
+ ADMX_tcpip/6to4_Router_Name_Resolution_Interval +
+
+ ADMX_tcpip/6to4_State +
+
+ ADMX_tcpip/IPHTTPS_ClientState +
+
+ ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State +
+
+ ADMX_tcpip/ISATAP_Router_Name +
+
+ ADMX_tcpip/ISATAP_State +
+
+ ADMX_tcpip/Teredo_Client_Port +
+
+ ADMX_tcpip/Teredo_Default_Qualified +
+
+ ADMX_tcpip/Teredo_Refresh_Rate +
+
+ ADMX_tcpip/Teredo_Server_Name +
+
+ ADMX_tcpip/Teredo_State +
+
+ ADMX_tcpip/Windows_Scaling_Heuristics_State +
+
+ + +
+ + +**ADMX_tcpip/6to4_Router_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. + +If you enable this policy setting, you can specify a relay name for a 6to4 host. + +If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set 6to4 Relay Name* +- GP name: *6to4_Router_Name* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/6to4_Router_Name_Resolution_Interval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. + +If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. + +If you disable or do not configure this policy setting, the local host setting is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set 6to4 Relay Name Resolution Interval* +- GP name: *6to4_Router_Name_Resolution_Interval* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/6to4_State** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. + +If you disable or do not configure this policy setting, the local host setting is used. + +If you enable this policy setting, you can configure 6to4 with one of the following settings: + +Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. + +Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface. + +Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set 6to4 State* +- GP name: *6to4_State* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/IPHTTPS_ClientState** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. + +If you disable or do not configure this policy setting, the local host settings are used. + +If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: + +Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. + +Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectivity options. + +Policy Disabled State: No IP-HTTPS interfaces are present on the host. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set IP-HTTPS State* +- GP name: *IPHTTPS_ClientState* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. + +If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. + +If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set IP Stateless Autoconfiguration Limits State* +- GP name: *IP_Stateless_Autoconfiguration_Limits_State* +- GP path: *Network\TCPIP Settings\Parameters* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/ISATAP_Router_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. + +If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. + +If you disable or do not configure this policy setting, the local host setting is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set ISATAP Router Name* +- GP name: *ISATAP_Router_Name* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/ISATAP_State** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. + +If you disable or do not configure this policy setting, the local host setting is used. + +If you enable this policy setting, you can configure ISATAP with one of the following settings: + +Policy Default State: No ISATAP interfaces are present on the host. + +Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. + +Policy Disabled State: No ISATAP interfaces are present on the host. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set ISATAP State* +- GP name: *ISATAP_State* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Teredo_Client_Port** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. + +If you enable this policy setting, you can customize a UDP port for the Teredo client. + +If you disable or do not configure this policy setting, the local host setting is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Teredo Client Port* +- GP name: *Teredo_Client_Port* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Teredo_Default_Qualified** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. + +If you disable or do not configure this policy setting, the local host setting is used. + +This policy setting contains only one state: + +Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Teredo Default Qualified* +- GP name: *Teredo_Default_Qualified* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Teredo_Refresh_Rate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the Teredo refresh rate. + +> [!NOTE] +> On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. + +If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. + +If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Teredo Refresh Rate* +- GP name: *Teredo_Refresh_Rate* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Teredo_Server_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. + +If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. + +If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Teredo Server Name* +- GP name: *Teredo_Server_Name* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Teredo_State** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. + +If you disable or do not configure this policy setting, the local host settings are used. + +If you enable this policy setting, you can configure Teredo with one of the following settings: + +Default: The default state is "Client." + +Disabled: No Teredo interfaces are present on the host. + +Client: The Teredo interface is present only when the host is not on a network that includes a domain controller. + +Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Teredo State* +- GP name: *Teredo_State* +- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* +- GP ADMX file name: *tcpip.admx* + + + +
+ + +**ADMX_tcpip/Windows_Scaling_Heuristics_State** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. + +If you do not configure this policy setting, the local host settings are used. + +If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. + +If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems caused by Firewalls or other middle boxes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Window Scaling Heuristics State* +- GP name: *Windows_Scaling_Heuristics_State* +- GP path: *Network\TCPIP Settings\Parameters* +- GP ADMX file name: *tcpip.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md new file mode 100644 index 0000000000..69fd52c66e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - ADMX_Thumbnails +description: Policy CSP - ADMX_Thumbnails +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/25/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Thumbnails +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Thumbnails policies + +
+
+ ADMX_Thumbnails/DisableThumbnails +
+
+ ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders +
+
+ ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders +
+
+ +
+ + +**ADMX_Thumbnails/DisableThumbnails** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. + +File Explorer displays thumbnail images by default. + +If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. + +If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the display of thumbnails and only display icons.* +- GP name: *DisableThumbnails* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Thumbnails.admx* + + + +
+ + +**ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. + +File Explorer displays thumbnail images on network folders by default. + +If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. + +If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the display of thumbnails and only display icons on network folders* +- GP name: *DisableThumbnailsOnNetworkFolders* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Thumbnails.admx* + + + +
+ + +**ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. Turns off the caching of thumbnails in hidden thumbs.db files. + +This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. + +If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. + +If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the caching of thumbnails in hidden thumbs.db files* +- GP name: *DisableThumbsDBOnNetworkFolders* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Thumbnails.admx* + + + +
+ + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md new file mode 100644 index 0000000000..aeec40aa7f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -0,0 +1,803 @@ +--- +title: Policy CSP - ADMX_TPM +description: Policy CSP - ADMX_TPM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/25/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TPM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_TPM policies + +
+
+ ADMX_TPM/BlockedCommandsList_Name +
+
+ ADMX_TPM/ClearTPMIfNotReady_Name +
+
+ ADMX_TPM/IgnoreDefaultList_Name +
+
+ ADMX_TPM/IgnoreLocalList_Name +
+
+ ADMX_TPM/OSManagedAuth_Name +
+
+ ADMX_TPM/OptIntoDSHA_Name +
+
+ ADMX_TPM/StandardUserAuthorizationFailureDuration_Name +
+
+ ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name +
+
+ ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name +
+
+ ADMX_TPM/UseLegacyDAP_Name +
+
+ + +
+ + +**ADMX_TPM/BlockedCommandsList_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. + +If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. + +If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the list of blocked TPM commands* +- GP name: *BlockedCommandsList_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/ClearTPMIfNotReady_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the system to clear the TPM if it is not in a ready state.* +- GP name: *ClearTPMIfNotReady_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/IgnoreDefaultList_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. + +If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. + +The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. + +If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore the default list of blocked TPM commands* +- GP name: *IgnoreDefaultList_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/IgnoreLocalList_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. + +If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. + +The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. + +If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore the local list of blocked TPM commands* +- GP name: *IgnoreLocalList_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/OSManagedAuth_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. + +You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. + +If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. + +Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. + +Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. + +Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications. + +> [!NOTE] +> If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the level of TPM owner authorization information available to the operating system* +- GP name: *OSManagedAuth_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/OptIntoDSHA_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Device Health Attestation Monitoring and Reporting* +- GP name: *OptIntoDSHA_Name* +- GP path: *System\Device Health Attestation Service* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/StandardUserAuthorizationFailureDuration_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. + +This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. + +An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration are ignored. + +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. + +The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. + +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. + +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. + +An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. + +If this value is not configured, a default value of 480 minutes (8 hours) is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Standard User Lockout Duration* +- GP name: *StandardUserAuthorizationFailureDuration_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. + +This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. + +An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. + +This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. + +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. + +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. + +An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. + +If this value is not configured, a default value of 4 is used. + +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Standard User Individual Lockout Threshold* +- GP name: *StandardUserAuthorizationFailureIndividualThreshold_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. + +This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. + +An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. + +The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. + +This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. + +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. + +An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. + +If this value is not configured, a default value of 9 is used. + +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Standard User Total Lockout Threshold* +- GP name: *StandardUserAuthorizationFailureTotalThreshold_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ + +**ADMX_TPM/UseLegacyDAP_Name** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.* +- GP name: *UseLegacyDAP_Name* +- GP path: *System\Trusted Platform Module Services* +- GP ADMX file name: *TPM.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md new file mode 100644 index 0000000000..d967a2db8e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -0,0 +1,9476 @@ +--- +title: Policy CSP - ADMX_UserExperienceVirtualization +description: Policy CSP - ADMX_UserExperienceVirtualization +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/30/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_UserExperienceVirtualization +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_UserExperienceVirtualization policies + +
+
+ ADMX_UserExperienceVirtualization/Calculator +
+
+ ADMX_UserExperienceVirtualization/ConfigureSyncMethod +
+
+ ADMX_UserExperienceVirtualization/ConfigureVdi +
+
+ ADMX_UserExperienceVirtualization/ContactITDescription +
+
+ ADMX_UserExperienceVirtualization/ContactITUrl +
+
+ ADMX_UserExperienceVirtualization/DisableWin8Sync +
+
+ ADMX_UserExperienceVirtualization/DisableWindowsOSSettings +
+
+ ADMX_UserExperienceVirtualization/EnableUEV +
+
+ ADMX_UserExperienceVirtualization/Finance +
+
+ ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled +
+
+ ADMX_UserExperienceVirtualization/Games +
+
+ ADMX_UserExperienceVirtualization/InternetExplorer8 +
+
+ ADMX_UserExperienceVirtualization/InternetExplorer9 +
+
+ ADMX_UserExperienceVirtualization/InternetExplorer10 +
+
+ ADMX_UserExperienceVirtualization/InternetExplorer11 +
+
+ ADMX_UserExperienceVirtualization/InternetExplorerCommon +
+
+ ADMX_UserExperienceVirtualization/Maps +
+
+ ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 +
+
+ ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 +
+
+ ADMX_UserExperienceVirtualization/Music +
+
+ ADMX_UserExperienceVirtualization/News +
+
+ ADMX_UserExperienceVirtualization/Notepad +
+
+ ADMX_UserExperienceVirtualization/Reader +
+
+ ADMX_UserExperienceVirtualization/RepositoryTimeout +
+
+ ADMX_UserExperienceVirtualization/SettingsStoragePath +
+
+ ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath +
+
+ ADMX_UserExperienceVirtualization/Sports +
+
+ ADMX_UserExperienceVirtualization/SyncEnabled +
+
+ ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork +
+
+ ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming +
+
+ ADMX_UserExperienceVirtualization/SyncProviderPingEnabled +
+
+ ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps +
+
+ ADMX_UserExperienceVirtualization/Travel +
+
+ ADMX_UserExperienceVirtualization/TrayIconEnabled +
+
+ ADMX_UserExperienceVirtualization/Video +
+
+ ADMX_UserExperienceVirtualization/Weather +
+
+ ADMX_UserExperienceVirtualization/Wordpad +
+
+ + +
+ + +**ADMX_UserExperienceVirtualization/Calculator** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Calculator. + +By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. + +If you enable this policy setting, the Calculator user settings continue to synchronize. + +If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Calculator* +- GP name: *Calculator* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/ConfigureSyncMethod** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. + +With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. + +When SyncMethod is set to “None,” the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. + +Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users’ computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. + +These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. +With notifications enabled, UE-V users receive a message when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears. + +If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Sync Method* +- GP name: *ConfigureSyncMethod* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/ConfigureVdi** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. + +UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. + +Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. + +If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. + +If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. + +If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *VDI Configuration* +- GP name: *ConfigureVdi* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/ContactITDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. + +If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. + +If you disable this policy setting, the Company Settings Center does not display an IT Contact link. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Contact IT Link Text* +- GP name: *ContactITDescription* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/ContactITUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. + +If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. + +If you disable this policy setting, the Company Settings Center does not display an IT Contact link. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Contact IT URL* +- GP name: *ContactITUrl* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/DisableWin8Sync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. + +By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. + +If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. + +If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. + +If you do not configure this policy setting, any defined values are deleted. + +> [!NOTE] +> If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not synchronize Windows Apps* +- GP name: *DisableWin8Sync* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/DisableWindowsOSSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. + +If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. + +If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Synchronize Windows settings* +- GP name: *DisableWindowsOSSettings* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/EnableUEV** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. + +Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable UEV* +- GP name: *EnableUEV* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Finance** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. + +If you enable this policy setting, Finance user settings continue to sync. + +If you disable this policy setting, Finance user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Finance* +- GP name: *Finance* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. + +With this setting enabled, the notification appears the first time that the UE-V Agent runs. + +With this setting disabled, no notification appears. + +If you do not configure this policy setting, any defined values are deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *First Use Notification* +- GP name: *FirstUseNotificationEnabled* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Games** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. + +If you enable this policy setting, Games user settings continue to sync. + +If you disable this policy setting, Games user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Games* +- GP name: *Games* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/InternetExplorer8** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 8. + +By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. + +If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. + +If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Internet Explorer 8* +- GP name: *InternetExplorer8* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/InternetExplorer9** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. + +If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. + +If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Internet Explorer 9* +- GP name: *InternetExplorer9* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/InternetExplorer10** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. + +If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. + +If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Internet Explorer 10* +- GP name: *InternetExplorer10* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/InternetExplorer11** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. + +If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. + +If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Internet Explorer 11* +- GP name: *InternetExplorer11* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/InternetExplorerCommon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. +By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. + +If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. + +If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Internet Explorer Common Settings* +- GP name: *InternetExplorerCommon* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + + + +**ADMX_UserExperienceVirtualization/Maps** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. + +If you enable this policy setting, Maps user settings continue to sync. + +If you disable this policy setting, Maps user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maps* +- GP name: *Maps* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. + +If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. + +If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Settings package size warning threshold* +- GP name: *MaxPackageSizeInBytes* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Access 2010* +- GP name: *MicrosoftOffice2010Access* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. + +If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. + +If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 2010 Common Settings* +- GP name: *MicrosoftOffice2010Common* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Excel 2010* +- GP name: *MicrosoftOffice2010Excel* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft InfoPath 2010* +- GP name: *MicrosoftOffice2010InfoPath* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Lync 2010* +- GP name: *MicrosoftOffice2010Lync* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft OneNote 2010* +- GP name: *MicrosoftOffice2010OneNote* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Outlook 2010* +- GP name: *MicrosoftOffice2010Outlook* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft PowerPoint 2010* +- GP name: *MicrosoftOffice2010PowerPoint* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Project 2010* +- GP name: *MicrosoftOffice2010Project* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Publisher 2010* +- GP name: *MicrosoftOffice2010Publisher* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft SharePoint Designer 2010* +- GP name: *MicrosoftOffice2010SharePointDesigner* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft SharePoint Workspace 2010* +- GP name: *MicrosoftOffice2010SharePointWorkspace* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Visio 2010* +- GP name: *MicrosoftOffice2010Visio* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. + +If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Word 2010* +- GP name: *MicrosoftOffice2010Word* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Access 2013* +- GP name: *MicrosoftOffice2013Access* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Access 2013 backup only* +- GP name: *MicrosoftOffice2013AccessBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. + +If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. + +If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 2013 Common Settings* +- GP name: *MicrosoftOffice2013Common* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. +Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. + +If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. + +If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Common 2013 backup only* +- GP name: *MicrosoftOffice2013CommonBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. + +By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Excel 2013* +- GP name: *MicrosoftOffice2013Excel* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Excel 2013 backup only* +- GP name: *MicrosoftOffice2013ExcelBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft InfoPath 2013* +- GP name: *MicrosoftOffice2013InfoPath* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *InfoPath 2013 backup only* +- GP name: *MicrosoftOffice2013InfoPathBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Lync 2013* +- GP name: *MicrosoftOffice2013Lync* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lync 2013 backup only* +- GP name: *MicrosoftOffice2013LyncBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. + +If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. + +If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft OneDrive for Business 2013* +- GP name: *MicrosoftOffice2013OneDriveForBusiness* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft OneNote 2013* +- GP name: *MicrosoftOffice2013OneNote* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *OneNote 2013 backup only* +- GP name: *MicrosoftOffice2013OneNoteBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Outlook 2013* +- GP name: *MicrosoftOffice2013Outlook* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Outlook 2013 backup only* +- GP name: *MicrosoftOffice2013OutlookBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft PowerPoint 2013* +- GP name: *MicrosoftOffice2013PowerPoint* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *PowerPoint 2013 backup only* +- GP name: *MicrosoftOffice2013PowerPointBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Project 2013* +- GP name: *MicrosoftOffice2013Project* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Project 2013 backup only* +- GP name: *MicrosoftOffice2013ProjectBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Publisher 2013* +- GP name: *MicrosoftOffice2013Publisher* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Publisher 2013 backup only* +- GP name: *MicrosoftOffice2013PublisherBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft SharePoint Designer 2013* +- GP name: *MicrosoftOffice2013SharePointDesigner* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *SharePoint Designer 2013 backup only* +- GP name: *MicrosoftOffice2013SharePointDesignerBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. + +If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. + +If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 2013 Upload Center* +- GP name: *MicrosoftOffice2013UploadCenter* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Visio 2013* +- GP name: *MicrosoftOffice2013Visio* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Visio 2013 backup only* +- GP name: *MicrosoftOffice2013VisioBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. + +If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Word 2013* +- GP name: *MicrosoftOffice2013Word* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. + +If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Word 2013 backup only* +- GP name: *MicrosoftOffice2013WordBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Access 2016* +- GP name: *MicrosoftOffice2016Access* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Access 2016 backup only* +- GP name: *MicrosoftOffice2016AccessBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. + +If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. + +If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 2016 Common Settings* +- GP name: *MicrosoftOffice2016Common* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. +Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. + +If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. + +If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Common 2016 backup only* +- GP name: *MicrosoftOffice2016CommonBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Excel 2016* +- GP name: *MicrosoftOffice2016Excel* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Excel 2016 backup only* +- GP name: *MicrosoftOffice2016ExcelBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Lync 2016* +- GP name: *MicrosoftOffice2016Lync* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lync 2016 backup only* +- GP name: *MicrosoftOffice2016LyncBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. + +If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. + +If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft OneDrive for Business 2016* +- GP name: *MicrosoftOffice2016OneDriveForBusiness* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft OneNote 2016* +- GP name: *MicrosoftOffice2016OneNote* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *OneNote 2016 backup only* +- GP name: *MicrosoftOffice2016OneNoteBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Outlook 2016* +- GP name: *MicrosoftOffice2016Outlook* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Outlook 2016 backup only* +- GP name: *MicrosoftOffice2016OutlookBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft PowerPoint 2016* +- GP name: *MicrosoftOffice2016PowerPoint* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *PowerPoint 2016 backup only* +- GP name: *MicrosoftOffice2016PowerPointBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2016. +By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Project 2016* +- GP name: *MicrosoftOffice2016Project* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Project 2016 backup only* +- GP name: *MicrosoftOffice2016ProjectBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Publisher 2016* +- GP name: *MicrosoftOffice2016Publisher* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Publisher 2016 backup only* +- GP name: *MicrosoftOffice2016PublisherBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. + +If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. + +If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 2016 Upload Center* +- GP name: *MicrosoftOffice2016UploadCenter* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Visio 2016* +- GP name: *MicrosoftOffice2016Visio* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Visio 2016 backup only* +- GP name: *MicrosoftOffice2016VisioBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. + +If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. + +If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Word 2016* +- GP name: *MicrosoftOffice2016Word* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. + +If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. + +If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Word 2016 backup only* +- GP name: *MicrosoftOffice2016WordBackup* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Access 2013* +- GP name: *MicrosoftOffice365Access2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Access 2016* +- GP name: *MicrosoftOffice365Access2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. + +If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. + +If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Common 2013* +- GP name: *MicrosoftOffice365Common2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. + +If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. + +If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Common 2016* +- GP name: *MicrosoftOffice365Common2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Excel 2013* +- GP name: *MicrosoftOffice365Excel2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Excel 2016* +- GP name: *MicrosoftOffice365Excel2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 InfoPath 2013* +- GP name: *MicrosoftOffice365InfoPath2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Lync 2013* +- GP name: *MicrosoftOffice365Lync2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Lync 2016* +- GP name: *MicrosoftOffice365Lync2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 OneNote 2013* +- GP name: *MicrosoftOffice365OneNote2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 OneNote 2016* +- GP name: *MicrosoftOffice365OneNote2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Outlook 2013* +- GP name: *MicrosoftOffice365Outlook2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Outlook 2016* +- GP name: *MicrosoftOffice365Outlook2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 PowerPoint 2013* +- GP name: *MicrosoftOffice365PowerPoint2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 PowerPoint 2016* +- GP name: *MicrosoftOffice365PowerPoint2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Project 2013* +- GP name: *MicrosoftOffice365Project2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Project 2016* +- GP name: *MicrosoftOffice365Project2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Publisher 2013* +- GP name: *MicrosoftOffice365Publisher2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Publisher 2016* +- GP name: *MicrosoftOffice365Publisher2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 SharePoint Designer 2013* +- GP name: *MicrosoftOffice365SharePointDesigner2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Visio 2013* +- GP name: *MicrosoftOffice365Visio2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Visio 2016* +- GP name: *MicrosoftOffice365Visio2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Word 2013* +- GP name: *MicrosoftOffice365Word2013* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. + +If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. + +If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Office 365 Word 2016* +- GP name: *MicrosoftOffice365Word2016* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Music** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. + +If you enable this policy setting, Music user settings continue to sync. + +If you disable this policy setting, Music user settings are excluded from the synchronizing settings. + +If you do not configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Music* +- GP name: *Music* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/News** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. + +If you enable this policy setting, News user settings continue to sync. + +If you disable this policy setting, News user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *News* +- GP name: *News* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Notepad** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. + +If you enable this policy setting, the Notepad user settings continue to synchronize. + +If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Notepad* +- GP name: *Notepad* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Reader** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. + +If you enable this policy setting, Reader user settings continue to sync. + +If you disable this policy setting, Reader user settings are excluded from the synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Reader* +- GP name: *Reader* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/RepositoryTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. + +If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. + +If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Synchronization timeout* +- GP name: *RepositoryTimeout* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SettingsStoragePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures where the settings package files that contain user settings are stored. + +If you enable this policy setting, the user settings are stored in the specified location. + +If you disable or do not configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Settings storage path* +- GP name: *SettingsStoragePath* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. + +If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. + +If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. + +If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. + +If you disable this policy setting, the UE-V Agent will not use the custom settings location templates. If you disable this policy setting after it has been enabled, the UE-V Agent will not restore the default Microsoft templates. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Settings template catalog path* +- GP name: *SettingsTemplateCatalogPath* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Sports** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. + +If you enable this policy setting, Sports user settings continue to sync. + +If you disable this policy setting, Sports user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sports* +- GP name: *Sports* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SyncEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use User Experience Virtualization (UE-V)* +- GP name: *SyncEnabled* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. + +With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. + +With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection. + +If you do not configure this policy setting, any defined values are deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sync settings over metered connections* +- GP name: *SyncOverMeteredNetwork* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. + +With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. + +With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming. + +If you do not configure this policy setting, any defined values are deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sync settings over metered connections even when roaming* +- GP name: *SyncOverMeteredNetworkWhenRoaming* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SyncProviderPingEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. + +If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. + +If you disable this policy setting, the sync provider doesn’t ping the settings storage location before synchronizing settings packages. + +If you do not configure this policy, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ping the settings storage location before sync* +- GP name: *SyncProviderPingEnabled* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. + +With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. + +With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. + +If you do not configure this policy setting, any defined values are deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sync Unlisted Windows Apps* +- GP name: *SyncUnlistedWindows8Apps* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Travel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. + +If you enable this policy setting, Travel user settings continue to sync. + +If you disable this policy setting, Travel user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Travel* +- GP name: *Travel* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/TrayIconEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. + +With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. + +If you do not configure this policy setting, any defined values are deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tray Icon* +- GP name: *TrayIconEnabled* +- GP path: *Windows Components\Microsoft User Experience Virtualization* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Video** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. + +If you enable this policy setting, Video user settings continue to sync. + +If you disable this policy setting, Video user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Video* +- GP name: *Video* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ + +**ADMX_UserExperienceVirtualization/Weather** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. + +If you enable this policy setting, Weather user settings continue to sync. + +If you disable this policy setting, Weather user settings are excluded from synchronization. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Weather* +- GP name: *Weather* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+ +**ADMX_UserExperienceVirtualization/Wordpad** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. + +If you enable this policy setting, the WordPad user settings continue to synchronize. + +If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. + +If you do not configure this policy setting, any defined values will be deleted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WordPad* +- GP name: *Wordpad* +- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* +- GP ADMX file name: *UserExperienceVirtualization.admx* + + + +
+Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md new file mode 100644 index 0000000000..a9b6715a43 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -0,0 +1,429 @@ +--- +title: Policy CSP - ADMX_W32Time +description: Policy CSP - ADMX_W32Time +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/28/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_W32Time +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_W32Time policies + +
+
+ ADMX_W32Time/W32TIME_POLICY_CONFIG +
+
+ ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT +
+
+ ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT +
+
+ ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER +
+
+ + +
+ + +**ADMX_W32Time/W32TIME_POLICY_CONFIG** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. + +If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. + +For more details on individual parameters, combinations of parameter values as well as definitions of flags, see https://go.microsoft.com/fwlink/?linkid=847809. + +**FrequencyCorrectRate** +This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Default: 4 (scalar). + +**HoldPeriod** +This parameter indicates how many consistent time samples the client computer must receive in a series before subsequent time samples are evaluated as potential spikes. Default: 5 + +**LargePhaseOffset** +If a time sample differs from the client computer's local clock by more than LargePhaseOffset, the local clock is deemed to have drifted considerably, or in other words, spiked. Default: 50,000,000 100-nanosecond units (ns) or 5 seconds. + +**MaxAllowedPhaseOffset** +If a response is received that has a time variation that is larger than this parameter value, W32time sets the client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) server. If the time variation is less than this value, the client computer's local clock is corrected gradually. Default: 300 seconds. + +**MaxNegPhaseCorrection** +If a time sample is received that indicates a time in the past (as compared to the client computer's local clock) that has a time difference that is greater than the MaxNegPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. + +**MaxPosPhaseCorrection** +If a time sample is received that indicates a time in the future (as compared to the client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. + +**PhaseCorrectRate** +This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct more quickly. Default: 7 (scalar). + +**PollAdjustFactor** +This parameter controls how quickly W32time changes polling intervals. When responses are considered to be accurate, the polling interval lengthens automatically. When responses are considered to be inaccurate, the polling interval shortens automatically. Default: 5 (scalar). + +**SpikeWatchPeriod** +This parameter specifies the amount of time that samples with time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic, inaccurate time samples that are returned from a peer. Default: 900 seconds. + +**UpdateInterval** +This parameter specifies the amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correction, the service adjusts the clock slightly, waits this amount of time, and then checks to see if another adjustment is needed, until the correction is finished. Default: 100 1/100th second units, or 1 second. + +General parameters: + +**AnnounceFlags** +This parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal + +**EventLogFlags** +This parameter controls special events that may be logged to the Event Viewer System log. Default: 0x02 hexadecimal bitmask. + +**LocalClockDispersion** +This parameter indicates the maximum error in seconds that is reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock.) Default: 10 seconds. + +**MaxPollInterval** +This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15.) + +**MinPollInterval** +This parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2, or 64 seconds. + +**ClockHoldoverPeriod** +This parameter indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7800 seconds. + +**RequireSecureTimeSyncRequests** +This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. Default: 0 Boolean. + +**UtilizeSslTimeData** +This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean + +**ClockAdjustmentAuditLimit** +This parameter specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target machine. Default: 800 Parts per million (PPM). + +RODC parameters: + +**ChainEntryTimeout** +This parameter specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. Default: 16 seconds. + +**ChainMaxEntries** +This parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. Default: 128 entries. + +**ChainMaxHostEntries** +This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. + +**ChainDisable** +This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Default: 0 Boolean. + +**ChainLoggingRate** +This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Global Configuration Settings* +- GP name: *W32TIME_POLICY_CONFIG* +- GP path: *System\Windows Time Service* +- GP ADMX file name: *W32Time.admx* + + + +
+ + +**ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a set of parameters for controlling the Windows NTP Client. + +If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. + +If you disable or do not configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. + +**NtpServer** +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". + +**Type** +This value controls the authentication that W32time uses. The default value is NT5DS. + +**CrossSiteSyncFlags** +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). + +**ResolvePeerBackoffMinutes** +This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. + +**ResolvePeerBackoffMaxTimes** +This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. + +**SpecialPollInterval** +This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. + +**EventLogFlags** +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows NTP Client* +- GP name: *W32TIME_POLICY_CONFIGURE_NTPCLIENT* +- GP path: *System\Windows Time Service\Time Providers* +- GP ADMX file name: *W32Time.admx* + + + +
+ + +**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the Windows NTP Client is enabled. + +Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. + +If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. + +If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows NTP Client* +- GP name: *W32TIME_POLICY_ENABLE_NTPCLIENT* +- GP path: *System\Windows Time Service\Time Providers* +- GP ADMX file name: *W32Time.admx* + + + +
+ + +**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether the Windows NTP Server is enabled. + +If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. + +If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows NTP Server* +- GP name: *W32TIME_POLICY_ENABLE_NTPSERVER* +- GP path: *System\Windows Time Service\Time Providers* +- GP ADMX file name: *W32Time.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md new file mode 100644 index 0000000000..bceaf394ed --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_WinCal +description: Policy CSP - ADMX_WinCal +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/28/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinCal +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WinCal policies + +
+
+ ADMX_WinCal/TurnOffWinCal_1 +
+
+ ADMX_WinCal/TurnOffWinCal_2 +
+
+ + +
+ + +**ADMX_WinCal/TurnOffWinCal_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. + +If you enable this setting, Windows Calendar will be turned off. + +If you disable or do not configure this setting, Windows Calendar will be turned on. + +The default is for Windows Calendar to be turned on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Calendar* +- GP name: *TurnOffWinCal_1* +- GP path: *Windows Components\Windows Calendar* +- GP ADMX file name: *WinCal.admx* + + + +
+ +
+ + +**ADMX_WinCal/TurnOffWinCal_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. + +If you enable this setting, Windows Calendar will be turned off. + +If you disable or do not configure this setting, Windows Calendar will be turned on. + +The default is for Windows Calendar to be turned on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Calendar* +- GP name: *TurnOffWinCal_2* +- GP path: *Windows Components\Windows Calendar* +- GP ADMX file name: *WinCal.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md new file mode 100644 index 0000000000..8b06f92864 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ADMX_WindowsAnytimeUpgrade +description: Policy CSP - ADMX_WindowsAnytimeUpgrade +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/29/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsAnytimeUpgrade +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsAnytimeUpgrade policies + +
+
+ ADMX_WindowsAnytimeUpgrade/Disabled +
+
+ + +
+ + +**ADMX_WindowsAnytimeUpgrade/Disabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. By default, Add features to Windows 10 is available for all administrators. + +If you enable this policy setting, the wizard will not run. + +If you disable this policy setting or set it to Not Configured, the wizard will run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent the wizard from running.* +- GP name: *Disabled* +- GP path: *Windows Components\Add features to Windows 10* +- GP ADMX file name: *WindowsAnytimeUpgrade.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md new file mode 100644 index 0000000000..80b7d947fa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - ADMX_WindowsConnectNow +description: Policy CSP - ADMX_WindowsConnectNow +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/28/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsConnectNow +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsConnectNow policies + +
+
+ ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 +
+
+ ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 +
+
+ ADMX_WindowsConnectNow/WCN_EnableRegistrar +
+
+ + +
+ + +**ADMX_WindowsConnectNow/WCN_DisableWcnUi_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. + +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. + +If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access of the Windows Connect Now wizards* +- GP name: *WCN_DisableWcnUi_1* +- GP path: *Network\Windows Connect Now* +- GP ADMX file name: *WindowsConnectNow.admx* + + + +
+ + +**ADMX_WindowsConnectNow/WCN_DisableWcnUi_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. + +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. + +If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access of the Windows Connect Now wizards* +- GP name: *WCN_DisableWcnUi_2* +- GP path: *Network\Windows Connect Now* +- GP ADMX file name: *WindowsConnectNow.admx* + + + +
+ + +**ADMX_WindowsConnectNow/WCN_EnableRegistrar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. + +Additional options are available to allow discovery and configuration over a specific medium. + +If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. + +If you disable this policy setting, operations are disabled over all media. + +If you do not configure this policy setting, operations are enabled over all media. + +The default for this policy setting allows operations over all media. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configuration of wireless settings using Windows Connect Now* +- GP name: *WCN_EnableRegistrar* +- GP path: *Network\Windows Connect Now* +- GP ADMX file name: *WindowsConnectNow.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md new file mode 100644 index 0000000000..d9845c8533 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -0,0 +1,116 @@ +--- +title: Policy CSP - ADMX_WindowsMediaDRM +description: Policy CSP - ADMX_WindowsMediaDRM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsMediaDRM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsMediaDRM policies + +
+
+ ADMX_WindowsMediaDRM/DisableOnline +
+
+ + +
+ + +**ADMX_WindowsMediaDRM/DisableOnline** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). + +When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. + +When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario. + +When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Windows Media DRM Internet Access* +- GP name: *DisableOnline* +- GP path: *Windows Components\Windows Media Digital Rights Management* +- GP ADMX file name: *WindowsMediaDRM.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md new file mode 100644 index 0000000000..69a27c1fef --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -0,0 +1,1614 @@ +--- +title: Policy CSP - ADMX_WindowsMediaPlayer +description: Policy CSP - ADMX_WindowsMediaPlayer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsMediaPlayer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsMediaPlayer policies + +
+
+ ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings +
+
+ ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings +
+
+ ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings +
+
+ ADMX_WindowsMediaPlayer/DisableAutoUpdate +
+
+ ADMX_WindowsMediaPlayer/DisableNetworkSettings +
+
+ ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration +
+
+ ADMX_WindowsMediaPlayer/DoNotShowAnchor +
+
+ ADMX_WindowsMediaPlayer/DontUseFrameInterpolation +
+
+ ADMX_WindowsMediaPlayer/EnableScreenSaver +
+
+ ADMX_WindowsMediaPlayer/HidePrivacyTab +
+
+ ADMX_WindowsMediaPlayer/HideSecurityTab +
+
+ ADMX_WindowsMediaPlayer/NetworkBuffering +
+
+ ADMX_WindowsMediaPlayer/PolicyCodecUpdate +
+
+ ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval +
+
+ ADMX_WindowsMediaPlayer/PreventLibrarySharing +
+
+ ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval +
+
+ ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut +
+
+ ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval +
+
+ ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut +
+
+ ADMX_WindowsMediaPlayer/SkinLockDown +
+
+ ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols +
+
+ + +
+ + +**ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. + +If you enable this policy setting, select one of the following proxy types: + +- Autodetect: the proxy settings are automatically detected. +- Custom: unique proxy settings are used. +- Use browser proxy settings: browser's proxy settings are used. + +If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected. + +The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. + +This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected. + +If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy. + +If you do not configure this policy setting, users can configure the HTTP proxy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure HTTP Proxy* +- GP name: *ConfigureHTTPProxySettings* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. + +If you enable this policy setting, select one of the following proxy types: + +- Autodetect: the proxy settings are automatically detected. +- Custom: unique proxy settings are used. + +If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. + +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. + +This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected. + +If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings. + +If you do not configure this policy setting, users can configure the MMS proxy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure MMS Proxy* +- GP name: *ConfigureMMSProxySettings* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. + +If you enable this policy setting, select one of the following proxy types: + +- Autodetect: the proxy settings are automatically detected. +- Custom: unique proxy settings are used. + +If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. + +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. + +If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. + +If you do not configure this policy setting, users can configure the RTSP proxy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RTSP Proxy* +- GP name: *ConfigureRTSPProxySettings* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/DisableAutoUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn off do not show first use dialog boxes. + +If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. + +This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. + +If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Automatic Updates* +- GP name: *DisableAutoUpdate* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/DisableNetworkSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Network tab. + +If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. + +If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Network Tab* +- GP name: *DisableNetworkSettings* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. + +If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. + +If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. + +If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do Not Show First Use Dialog Boxes* +- GP name: *DisableSetupFirstUseConfiguration* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/DoNotShowAnchor** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. + +This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. + +When this policy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. + +When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do Not Show Anchor* +- GP name: *DoNotShowAnchor* +- GP path: *Windows Components\Windows Media Player\User Interface* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/DontUseFrameInterpolation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent video smoothing from occurring. + +If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. + +If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available. + +If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. + +Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Video Smoothing* +- GP name: *DontUseFrameInterpolation* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/EnableScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows a screen saver to interrupt playback. + +If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. + +If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. + +If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Screen Saver* +- GP name: *EnableScreenSaver* +- GP path: *Windows Components\Windows Media Player\Playback* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/HidePrivacyTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Privacy tab in Windows Media Player. + +If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. + +The default privacy settings are used for the options on the Privacy tab unless the user changed the settings previously. + +If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Automatic Updates* +- GP name: *HidePrivacyTab* +- GP path: *Windows Components\Windows Media Player\User Interface* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/HideSecurityTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Security tab in Windows Media Player. + +If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. + +If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Security Tab* +- GP name: *HideSecurityTab* +- GP path: *Windows Components\Windows Media Player\User Interface* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/NetworkBuffering** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. + +If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. + +- Custom: the number of seconds, up to 60, that streaming media is buffered. +- Default: default network buffering is used and the number of seconds that is specified is ignored. + +The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available. + +If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Network Buffering* +- GP name: *NetworkBuffering* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PolicyCodecUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent Windows Media Player from downloading codecs. + +If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. + +If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available. + +If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Codec Download* +- GP name: *PolicyCodecUpdate* +- GP path: *Windows Components\Windows Media Player\Playback* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. + +If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. + +If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent CD and DVD Media Information Retrieval* +- GP name: *PreventCDDVDMetadataRetrieval* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventLibrarySharing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media sharing from Windows Media Player. + +If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. + +If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Media Sharing* +- GP name: *PreventLibrarySharing* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. + +If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. + +If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Music File Media Information Retrieval* +- GP name: *PreventMusicFileMetadataRetrieval* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. + +If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. + +If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Quick Launch Toolbar Shortcut Creation* +- GP name: *PreventQuickLaunchShortcut* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. + +If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. + +If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *PPrevent Radio Station Preset Retrieval* +- GP name: *PreventRadioPresetsRetrieval* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. + +If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. + +If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Desktop Shortcut Creation* +- GP name: *PreventWMPDeskTopShortcut* +- GP path: *Windows Components\Windows Media Player* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/SkinLockDown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. + +If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. + +You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. + +A user has access only to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different skin. + +If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set and Lock Skin* +- GP name: *SkinLockDown* +- GP path: *Windows Components\Windows Media Player\User Interface* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ + +**ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. + +If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. + +If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. + +If you do not configure this policy setting, users can select the protocols to use on the Network tab. + +If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Streaming Media Protocols* +- GP name: *WindowsStreamingMediaProtocols* +- GP path: *Windows Components\Windows Media Player\Networking* +- GP ADMX file name: *WindowsMediaPlayer.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md new file mode 100644 index 0000000000..dbbecca9d5 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -0,0 +1,258 @@ +--- +title: Policy CSP - ADMX_WinInit +description: Policy CSP - ADMX_WinInit +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/29/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinInit +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WinInit policies + +
+
+ ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription +
+
+ ADMX_WinInit/Hiberboot +
+
+ ADMX_WinInit/ShutdownTimeoutHungSessionsDescription +
+
+ + +
+ + +**ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. + +If you enable this policy setting, the system does not create the named pipe remote shutdown interface. + +If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off legacy remote shutdown interface* +- GP name: *DisableNamedPipeShutdownPolicyDescription* +- GP path: *Windows Components\Shutdown Options* +- GP ADMX file name: *WinInit.admx* + + + +
+ + +**ADMX_WinInit/Hiberboot** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the use of fast startup. + +If you enable this policy setting, the system requires hibernate to be enabled. + +If you disable or do not configure this policy setting, the local setting is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require use of fast startup* +- GP name: *Hiberboot* +- GP path: *System\Shutdown* +- GP ADMX file name: *WinInit.admx* + + + +
+ + +**ADMX_WinInit/ShutdownTimeoutHungSessionsDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. + +If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. + +If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Timeout for hung logon sessions during shutdown* +- GP name: *ShutdownTimeoutHungSessionsDescription* +- GP path: *Windows Components\Shutdown Options* +- GP ADMX file name: *WinInit.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md new file mode 100644 index 0000000000..a192f2c35f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -0,0 +1,232 @@ +--- +title: Policy CSP - LocalUsersAndGroups +description: Policy CSP - LocalUsersAndGroups +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - LocalUsersAndGroups + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## LocalUsersAndGroups policies + +
+
+ LocalUsersAndGroups/Configure +
+
+ + +
+ + +**LocalUsersAndGroups/Configure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark9
Businesscheck mark9
Enterprisecheck mark9
Educationcheck mark9
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 2010. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. + +> [!NOTE] +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> +> Starting from Windows 10, version 2010, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. + +Here's an example of the policy definition XML for group configuration: + +```xml + + + + + + + +``` + +where: + +- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. +- ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: + - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. + - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. +- ``: Specifies the SID or name of the member to configure. +- ``: Specifies the SID or name of the member to remove from the specified group. + + > [!NOTE] + > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + +See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. + +> [!IMPORTANT] +> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. +> - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. +> - `` is not valid for the R (Restrict) action and will be ignored if present. +> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. + + + + + + +**Examples** + +Example 1: Update action for adding and removing group members. + +The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). + +```xml + + + + + + + + + +``` + +Example 2: Restrict action for replacing the group membership. + +The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). + +```xml + + + + + + + +``` + + + + + +
+ +## FAQs + +This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. + +### What happens if I accidentally remove the built-in Administrator SID from the Administrators group? + +Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error: + +| Error Code | Symbolic Name | Error Description | Header | +|----------|----------|----------|----------| +| 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | + +When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `` to avoid this error. + +### Can I add a member that already exists? + +Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error. + +### Can I remove a member if it isn't a member of the group? + +Yes, you can remove a member even if it isn't a member of the group. This will result in no changes to the group and no error. + +### How can I add a domain group as a member to a local group? + +To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + +### Can I apply more than one LocalUserAndGroups policy/XML to the same device? + +No, this is not allowed. Attempting to do so will result in a conflict in Intune. + +### What happens if I specify a group name that doesn't exist? + +Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully. + +### What happens if I specify R and U in the same XML? + +If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins. + +### How do I check the result of a policy that is applied on the client device? + +After a policy is applied on the client device, you can investigate the event log to review the result: + +1. Open Event Viewer (**eventvwr.exe**). +2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise- +Diagnostics-Provider** > **Admin**. +3. Search for the `LocalUsersAndGroups` string to review the relevant details. + +### How can I troubleshoot Name/SID lookup APIs? + +To troubleshoot Name/SID lookup APIs: + +1. Enable **lsp.log** on the client device by running the following commands: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force + + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force + ``` + + The **lsp.log** file (**C:\windows\debug\lsp.log**) will be displayed. This log file tracks the SID-Name resolution. + +2. Turn the logging off by running the following command: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force + ``` + + +Footnotes: + +- 9 - Available in Windows 10, version 2010. + + diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 67cb225555..b840169332 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -14,6 +14,9 @@ manager: dansimp # Policy CSP - RestrictedGroups +> [!IMPORTANT] +> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 05c983440b..6012a60ed9 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,13 +1,13 @@ --- title: Policy CSP - System -description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update. +description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/12/2020 +ms.date: 10/14/2020 ms.reviewer: manager: dansimp --- @@ -212,14 +212,13 @@ The following list shows the supported values: -This policy setting controls whether Microsoft is a processor or controller for Windows diagnostic data collected from devices. +This policy setting opts the device into the Windows enterprise data pipeline. -If you enable this policy and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. +If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline. -If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. +If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. ->[!Note] -> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. +Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10. @@ -234,8 +233,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) - Do not use the Windows Commercial Data Pipeline -- 1 - Use the Windows Commercial Data Pipeline +- 0 (default) - Disabled. +- 1 - Enabled. @@ -245,7 +244,9 @@ The following list shows the supported values: +
+ **System/AllowDeviceNameInDiagnosticData** @@ -488,7 +489,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts. This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). @@ -509,7 +510,7 @@ ADMX Info: The following list shows the supported values: -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available. - 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. @@ -1605,7 +1606,7 @@ The following list shows the supported values: This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. -To enable this behavior you must complete two steps: +To enable this behavior, you must complete two steps:
  • Enable this policy setting
  • Set Allow Telemetry to level 2 (Enhanced)
    • diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md new file mode 100644 index 0000000000..a00be7e6d7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -0,0 +1,561 @@ +--- +title: Policy CSP - WindowsSandbox +description: Policy CSP - WindowsSandbox +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/14/2020 +--- + +# Policy CSP - WindowsSandbox + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + +
    + + +## WindowsSandbox policies + +
    +
    + WindowsSandbox/AllowAudioInput +
    +
    + WindowsSandbox/AllowClipboardRedirection +
    +
    + WindowsSandbox/AllowNetworking +
    +
    + WindowsSandbox/AllowPrinterRedirection +
    +
    + WindowsSandbox/AllowVGPU +
    +
    + WindowsSandbox/AllowVideoInput +
    +
    + + +
    + + +**WindowsSandbox/AllowAudioInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable audio input to the Sandbox. + +> [!NOTE] +> There may be security implications of exposing host audio input to the container. + +If this policy is not configured, end-users get the default behavior (audio input enabled). + +If audio input is disabled, a user will not be able to enable audio input from their own configuration file. + +If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow audio input in Windows Sandbox* +- GP name: *AllowAudioInput* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + + +**WindowsSandbox/AllowClipboardRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. + +If this policy is not configured, end-users get the default behavior (clipboard redirection enabled. + +If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file. + +If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow clipboard sharing with Windows Sandbox* +- GP name: *AllowClipboardRedirection* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + + +
    + + +**WindowsSandbox/AllowNetworking** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network. + +If this policy is not configured, end-users get the default behavior (networking enabled). + +If networking is disabled, a user will not be able to enable networking from their own configuration file. + +If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow networking in Windows Sandbox* +- GP name: *AllowNetworking* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowPrinterRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. + +If this policy is not configured, end-users get the default behavior (printer sharing disabled). + +If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file. + +If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow printer sharing with Windows Sandbox* +- GP name: *AllowPrinterRedirection* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowVGPU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox. + +> [!NOTE] +> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. + +If this policy is not configured, end-users get the default behavior (vGPU is disabled). + +If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file. + +If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow vGPU sharing for Windows Sandbox* +- GP name: *AllowVGPU* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowVideoInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable video input to the Sandbox. + +> [!NOTE] +> There may be security implications of exposing host video input to the container. + +If this policy is not configured, users get the default behavior (video input disabled). + +If video input is disabled, users will not be able to enable video input from their own configuration file. + +If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: +- GP English Name: *Allow video input in Windows Sandbox* +- GP name: *AllowVideoInput* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + + + + + + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 2010. + + diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index fcb23c170c..330dddba01 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -161,7 +161,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format ErrorContext value -Stage where error occured +Stage where error occurred Description and suggestions @@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -

    Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). +

    Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

    The data type is string. Supported operation is Get and Replace. diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md index 1c4a8224fc..21e355ea15 100644 --- a/windows/deployment/update/delivery-optimization-proxy.md +++ b/windows/deployment/update/delivery-optimization-proxy.md @@ -54,7 +54,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user): |---------|---------| |Internet Explorer proxy, current user | No | |Internet Explorer proxy, device-wide | Yes | -|netsh proxy | No | +|netsh proxy | Yes | |Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used | |Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used | @@ -76,4 +76,4 @@ However, you can set the Connected Cache server to use an unauthenticated proxy. - [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](https://docs.microsoft.com/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp) - [How to use GPP Registry to uncheck automatically detect settings? ](https://docs.microsoft.com/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings) -- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) \ No newline at end of file +- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 53779f741d..ea81420b8b 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -18,7 +18,7 @@ ms.topic: article **Applies to**: Windows 10 -This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images prior to deployment and includes Windows PowerShell scripts you can use to automate this process. +This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process. Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process. @@ -42,8 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https ![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png) -The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. - +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. |To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | |---------|---------|---------|---------| @@ -94,8 +93,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe ## Windows PowerShell scripts to apply Dynamic Updates to an existing image -These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure: - +These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure: |Folder |Description | |---------|---------| @@ -108,49 +106,51 @@ These examples are for illustration only, and therefore lack error handling. The The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only. ```powershell -function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } +#Requires -RunAsAdministrator -Write-Host "$(Get-TS): Starting media refresh" +function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now } -# Declare media for FOD and LPs -$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso" -$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso" +Write-Output "$(Get-TS): Starting media refresh" # Declare language for showcasing adding optional localized components -$LANG = "ja-jp" +$LANG = "ja-jp" $LANG_FONT_CAPABILITY = "jpan" +# Declare media for FOD and LPs +$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso" +$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso" + # Declare Dynamic Update packages -$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu" -$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu" -$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab" +$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu" +$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu" +$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab" $SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab" -$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu" +$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu" # Declare folders for mounted images and temp files -$WORKING_PATH = "C:\mediaRefresh\temp" -$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia" -$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia" -$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount" -$WINRE_MOUNT = $WORKING_PATH + "\WinREMount" -$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount" +$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia" +$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia" +$WORKING_PATH = "C:\mediaRefresh\temp" +$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount" +$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount" +$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount" # Mount the language pack ISO -Write-Host "$(Get-TS): Mounting LP ISO" +Write-Output "$(Get-TS): Mounting LP ISO" $LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter # Declare language related cabs -$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs" -$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG -$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name -$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab" -$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab" -$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab" -$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab" -$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab" +$WINPE_OC_PATH = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs" +$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG" +$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -Name +$WINPE_OC_LP_PATH = "$WINPE_OC_LANG_PATH\lp.cab" +$WINPE_FONT_SUPPORT_PATH = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab" +$WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab" +$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab" +$OS_LP_PATH = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab" # Mount the Features on Demand ISO -Write-Host "$(Get-TS): Mounting FOD ISO" +Write-Output "$(Get-TS): Mounting FOD ISO" $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" @@ -161,10 +161,11 @@ New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Keep the original media, make a copy of it for the new, updated media. -Write-Host "$(Get-TS): Copying original media to new media path" +Write-Output "$(Get-TS): Copying original media to new media path" Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false } ``` + ### Update WinRE The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. @@ -176,25 +177,25 @@ It finishes by cleaning and exporting the image to reduce the image size. ```powershell # Mount the main operating system, used throughout the script -Write-Host "$(Get-TS): Mounting main OS" +Write-Output "$(Get-TS): Mounting main OS" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null # # update Windows Recovery Environment (WinRE) # Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Mounting WinRE" +Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update -Write-Host "$(Get-TS): Adding package $SSU_PATH" +Write-Output "$(Get-TS): Adding package $SSU_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null # # Optional: Add the language to recovery environment # # Install lp.cab cab -Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH" +Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null # Install language cabs for each optional package installed @@ -210,7 +211,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB - Write-Host "$(Get-TS): Adding package $OC_CAB_PATH" + Write-Output "$(Get-TS): Adding package $OC_CAB_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } @@ -219,7 +220,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) { # Add font support for the new language if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { - Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } @@ -227,30 +228,31 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } } # Add Safe OS -Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH" -Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null +Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH" +Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null # Perform image cleanup -Write-Host "$(Get-TS): Performing image cleanup on WinRE" +Write-Output "$(Get-TS): Performing image cleanup on WinRE" DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # Dismount Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null # Export -Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim" +Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim" Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null ``` + ### Update WinPE This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. @@ -266,15 +268,15 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE - Write-Host "$(Get-TS): Mounting WinPE" + Write-Output "$(Get-TS): Mounting WinPE" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add SSU - Write-Host "$(Get-TS): Adding package $SSU_PATH" + Write-Output "$(Get-TS): Adding package $SSU_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null # Install lp.cab cab - Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null # Install language cabs for each optional package installed @@ -291,7 +293,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB - Write-Host "$(Get-TS): Adding package $OC_CAB_PATH" + Write-Output "$(Get-TS): Adding package $OC_CAB_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } @@ -300,7 +302,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Add font support for the new language if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { - Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } @@ -308,39 +310,40 @@ Foreach ($IMAGE in $WINPE_IMAGES) { if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } } # Generates a new Lang.ini file which is used to define the language packs inside the image if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) { - Write-Host "$(Get-TS): Updating lang.ini" + Write-Output "$(Get-TS): Updating lang.ini" DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null - } + } # Add latest cumulative update - Write-Host "$(Get-TS): Adding package $LCU_PATH" + Write-Output "$(Get-TS): Adding package $LCU_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null # Perform image cleanup - Write-Host "$(Get-TS): Performing image cleanup on WinPE" + Write-Output "$(Get-TS): Performing image cleanup on WinPE" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # Dismount Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null #Export WinPE - Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim" + Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim" Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null } Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null ``` + ### Update the main operating system For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). @@ -355,36 +358,36 @@ You can install Optional Components, along with the .NET feature, offline, but t # # Add servicing stack update -Write-Host "$(Get-TS): Adding package $SSU_PATH" +Write-Output "$(Get-TS): Adding package $SSU_PATH" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null # Optional: Add language to main OS -Write-Host "$(Get-TS): Adding package $OS_LP_PATH" +Write-Output "$(Get-TS): Adding package $OS_LP_PATH" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null # Optional: Add a Features on Demand to the image -Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0" Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0" Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0" Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0" Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0" Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0" +Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0" Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null # Note: If I wanted to enable additional Features on Demand, I'd add these here. # Add latest cumulative update -Write-Host "$(Get-TS): Adding package $LCU_PATH" +Write-Output "$(Get-TS): Adding package $LCU_PATH" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null # Copy our updated recovery image from earlier into the main OS @@ -393,7 +396,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null # Perform image cleanup -Write-Host "$(Get-TS): Performing image cleanup on main OS" +Write-Output "$(Get-TS): Performing image cleanup on main OS" DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # @@ -402,18 +405,18 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # the image to be booted, and thus if we tried to cleanup after installation, it would fail. # -Write-Host "$(Get-TS): Adding NetFX3~~~~" +Write-Output "$(Get-TS): Adding NetFX3~~~~" Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null # Add .NET Cumulative Update -Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH" +Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null # Dismount Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null # Export -Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim" +Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim" Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null ``` @@ -428,9 +431,10 @@ This part of the script updates the Setup files. It simply copies the individual # # Add Setup DU by copy the files from the package into the newMedia -Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH" +Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null ``` + ### Finish up As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs. @@ -444,9 +448,9 @@ As a last step, the script removes the working folder of temporary files, and un Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null # Dismount ISO images -Write-Host "$(Get-TS): Dismounting ISO images" +Write-Output "$(Get-TS): Dismounting ISO images" Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null -Write-Host "$(Get-TS): Media refresh completed!" +Write-Output "$(Get-TS): Media refresh completed!" ``` diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 49d29f4d8a..e5a1395289 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -28,6 +28,8 @@ Servicing stack updates provide fixes to the servicing stack, the component that Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. +For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog. + ## When are they released? Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 727ec90959..68b9bc63f3 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -5,7 +5,7 @@ manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. ms.prod: w10 ms.mktglfcycl: deploy -ms.collection: M365initiative-coredeploy +ms.collection: m365initiative-coredeploy audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 77c469b79d..d6edc9cf57 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium ms.author: jaimeo ms.collection: - M365-modern-desktop -- M365initiative-coredeploy +- m365initiative-coredeploy ms.topic: article --- @@ -137,7 +137,7 @@ If you set up Delivery Optimization to create peer groups that include devices a Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. -**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details. +**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/delivery-optimization-proxy). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update). **What hostnames should I allow through my firewall to support Delivery Optimization?**: @@ -193,6 +193,7 @@ If you don’t see any bytes coming from peers the cause might be one of the fol - Clients aren’t able to reach the Delivery Optimization cloud services. - The cloud service doesn’t see other peers on the network. - Clients aren’t able to connect to peers that are offered back from the cloud service. +- None of the computers on the network are getting updates from peers. ### Clients aren't able to reach the Delivery Optimization cloud services. @@ -204,7 +205,6 @@ If you suspect this is the problem, try these steps: 3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. - ### The cloud service doesn't see other peers on the network. If you suspect this is the problem, try these steps: @@ -223,6 +223,15 @@ If you suspect this is the problem, try a Telnet test between two devices on the 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. +### None of the computers on the network are getting updates from peers + +If you suspect this is the problem, check Delivery Optimization settings that could limit participation in peer caching. Check whether the following settings in assigned group policies, local group policies, are MDM policies are too restrictive: + +- Minimum RAM (inclusive) allowed to use peer caching +- Minimum disk size allowed to use peer caching +- Enable peer caching while the device connects using VPN. +- Allow uploads when the device is on battery while under the set battery level + diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 2dc3cc3ff3..f473a704b2 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.collection: M365initiative-coredeploy +ms.collection: m365initiative-coredeploy manager: laurawi ms.topic: article --- diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 1ee1fa50de..737657aea5 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -9,7 +9,7 @@ ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article -ms.collection: M365initiative-coredeploy +ms.collection: m365initiative-coredeploy --- # Prepare servicing strategy for Windows 10 updates diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 6f780e8656..5c22b5cd47 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.collection: M365initiative-coredeploy +ms.collection: m365initiative-coredeploy manager: laurawi ms.topic: article --- diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index f1d655d44b..445b6d5c18 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -158,11 +158,11 @@ To check and repair system files: ### Repair unsigned drivers -Drivers that are not properly signed can block the upgrade process. Drivers might not be properly signed if you: +[Drivers](https://docs.microsoft.com/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you: - Disabled driver signature verification (highly not recommended). - A catalog file used to sign a driver is corrupt or missing. -Catalog files are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. This can cause the upgrade process to fail. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works. + Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works. To check your system for unsigned drivers: @@ -178,7 +178,7 @@ To check your system for unsigned drivers: 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. 9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below). -10. Download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**. +10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**. [Sigcheck](https://docs.microsoft.com/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck: @@ -208,6 +208,8 @@ To check your system for unsigned drivers: Valid to: 11:46 AM 5/9/2018 (output truncated) ``` + In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat. + 13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example: diff --git a/windows/docfx.json b/windows/docfx.json index 48b05bb454..b199d2a9c7 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -18,10 +18,11 @@ "audience": "ITPro", "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "Win.windows" - }, + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.windows" + } + }, "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 7b104bdcb0..90ab13ce23 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -96,6 +96,7 @@ The following methodology was used to derive the network endpoints: |activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows |adl.windows.com|HTTP|Used for compatibility database updates for Windows |spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile +|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices. ## Windows 10 Pro @@ -161,6 +162,7 @@ The following methodology was used to derive the network endpoints: |activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows |adl.windows.com|HTTP|Used for compatibility database updates for Windows |spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile +|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices. ## Windows 10 Education diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index cdf9c3ec9a..ec08c99def 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -12,29 +12,30 @@ ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 01/12/2018 +ms.date: 09/30/2020 ms.reviewer: --- # Windows Defender Credential Guard: Requirements -**Applies to** -- Windows 10 -- Windows Server 2016 +## Applies to +- Windows 10 +- Windows Server 2016 -For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). - +For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). ## Hardware and software requirements To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: + - Support for Virtualization-based security (required) - Secure boot (required) -- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware +- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: + - 64-bit CPU - CPU virtualization extensions plus extended page tables - Windows hypervisor (does not require Hyper-V Windows Feature to be installed) @@ -47,6 +48,7 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. + - TPM is not a requirement, but we recommend that you implement TPM. For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/). @@ -57,19 +59,21 @@ For information about Windows Defender Remote Credential Guard hardware and soft When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. >[!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers is not supported.
    +> Enabling Windows Defender Credential Guard on domain controllers is not supported. > The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. >[!NOTE] > Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). Applications will break if they require: + - Kerberos DES encryption support - Kerberos unconstrained delegation - Extracting the Kerberos TGT - NTLMv1 Applications will prompt and expose credentials to risk if they require: + - Digest authentication - Credential delegation - MS-CHAPv2 @@ -86,52 +90,66 @@ The following tables describe baseline protections, plus protections for improve > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. -> +> > If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). ### Baseline protections -|Baseline Protections | Description | Security benefits +|Baseline Protections|Description|Security benefits |---|---|---| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | -| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
    [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 or Windows Server 2016.

    Important:
    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

    |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | +|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.| +|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**:
    - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system.

    Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.| +|Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
    - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| +|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
    - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| +|Firmware: **Secure firmware update process**|**Requirements**:
    - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| +|Software: Qualified **Windows operating system**|**Requirement**:
    - Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| + +> [!IMPORTANT] +> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. - ### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 -| Protections for Improved Security | Description | -|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • BIOS password or stronger authentication must be supported.
    • In the BIOS configuration, BIOS authentication must be set.
    • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | -| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation | - -
    +|Protections for Improved Security|Description| +|---|---| +|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**:
    - VT-D or AMD Vi IOMMU

    **Security benefits**:
    - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables)| +|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.| +|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**:
    - Secure MOR, revision 2 implementation| ### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 > [!IMPORTANT] > The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. -| Protections for Improved Security | Description |Security Benefits | +|Protections for Improved Security|Description|Security Benefits| |---|---|---| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI provides additional security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
    +|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**:
    - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/library/windows/hardware/mt712332(v=vs.85).aspx).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform.| +|Firmware: **Firmware Update through Windows Update**|**Requirements**:
    - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.| +|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.| ### 2017 Additional security qualifications starting with Windows 10, version 1703 The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. -| Protections for Improved Security | Description | Security Benefits +|Protections for Improved Security|Description|Security Benefits |---|---|---| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
    • UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    • This protection is applied by VBS on OS page tables.


    Please also note the following:
    • Do not use sections that are both writeable and executable
    • Do not attempt to directly modify executable system memory
    • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware.
    • Blocks additional security attacks against SMM. | +|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
    - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections must be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
    (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.| +|Firmware: **Firmware support for SMM protection**|**Requirements**:
    - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM.| + +> [!IMPORTANT] +> +>Regarding **VBS enablement of NX protection for UEFI runtime services**: +> +> - This only applies to UEFI runtime service memory, and not UEFI boot service memory. +> +> - This protection is applied by VBS on OS page tables. +> +> Please also note the following: +> +> - Do not use sections that are both writeable and executable +> +> - Do not attempt to directly modify executable system memory +> +> - Do not use dynamic code diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index e6d36e6967..b5dfff553e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -75,6 +75,7 @@ Communicating with Azure Active Directory uses the following URLs: - enterpriseregistration.windows.net - login.microsoftonline.com - login.windows.net +- account.live.com If your environment uses Microsoft Intune, you need these additional URLs: - enrollment.manage.microsoft.com diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f3735bbd48..7f89a245b5 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -593,7 +593,7 @@ After you've decided where your protected apps can access enterprise data on you **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). -- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a099742145..ebe3c59220 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop +- Microsoft To Do + > [!NOTE] > Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. @@ -113,6 +115,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mspaint.exe
    **App Type:** Desktop app | | Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mstsc.exe
    **App Type:** Desktop app | | Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** fixmapi.exe
    **App Type:** Desktop app | +| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Todos
    **App Type:** Store app | >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f69cdfadb5..632fbafb38 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -49,18 +49,27 @@ #### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md) ## [Security administration]() -### [Threat & Vulnerability Management]() -#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) -#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) -#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md) -#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +### [Threat & vulnerability management]() +#### [Overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +#### [Get started]() +##### [Permissions & prerequisites](microsoft-defender-atp/tvm-prerequisites.md) +##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) +##### [Assign device value](microsoft-defender-atp/tvm-assign-device-value.md) +#### [Assess your security posture]() +##### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) +##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) +##### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) +#### [Improve your security posture & reduce risk]() +##### [Address security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) +##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md) +##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md) +##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md) +#### [Understand vulnerabilities on your devices]() +##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) +##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md) +##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md) +##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md) + ### [Attack surface reduction]() #### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) @@ -448,7 +457,7 @@ ##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md) ##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md) -#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) +#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md) #### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md) #### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md) #### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 1ce7884399..2893cf7ece 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -42,7 +42,7 @@ Configuring policy settings in this category can help you document attempts to a - [Audit Credential Validation](audit-credential-validation.md) - [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) - [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) -- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) +- [Audit Other Account Logon Events](audit-other-account-logon-events.md) ## Account Management @@ -150,8 +150,8 @@ Auditors will be able to prove that every resource in the system is protected by Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access. -> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object -Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. +> [!NOTE] +> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 84cf52d450..220876b84a 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -166,7 +166,7 @@ This event generates on domain controllers, member servers, and workstations. | 0xC0000064 | User logon with misspelled or bad user account | | 0xC000006A | User logon with misspelled or bad password | | 0XC000006D | This is either due to a bad username or authentication information | - | 0XC000006E | Unknown user name or bad password. | + | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). | | 0xC000006F | User logon outside authorized hours | | 0xC0000070 | User logon from unauthorized workstation | | 0xC0000071 | User logon with expired password | @@ -284,7 +284,7 @@ For 4625(F): An account failed to log on. - Monitor for all events with the fields and values in the following table: - | **Field** | Value to monitor for | + | Field | Value to monitor for | |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Failure Information\\Status** or
    **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
    This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or
    **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
    Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index b4f683756c..4ddfd7b193 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -17,20 +17,20 @@ ms.topic: conceptual --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. ->[!TIP] +> [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).

    Microsoft Defender ATP

    - - - - - - + + + + + +

    Threat & Vulnerability Management

    Attack surface reduction

    Next-generation protection

    Endpoint detection and response

    Automated investigation and remediation

    Microsoft Threat Experts
    threat and vulnerability icon
    Threat & vulnerability management
    attack surface reduction icon
    Attack surface reduction
    next generation protection icon
    Next-generation protection
    endpoint detection and response icon
    Endpoint detection and response
    automated investigation and remediation icon
    Automated investigation and remediation
    microsoft threat experts icon
    Microsoft Threat Experts
    @@ -47,19 +47,14 @@ ms.topic: conceptual >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] -**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    +**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -- [Remediation](microsoft-defender-atp/tvm-remediation.md) -- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [Get started](microsoft-defender-atp/tvm-prerequisites.md) +- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md) +- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md) +- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md) @@ -103,25 +98,16 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
    -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) - [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) - - -**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
    - -Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Threat analytics](microsoft-defender-atp/threat-analytics.md) - **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
    -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) @@ -149,4 +135,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. + With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 6ae2dcfe4c..a5f4583231 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -43,7 +43,7 @@ A fully fileless malware can be considered one that never requires writing a fil A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. -Infections of this type can be extra difficult deal with because antivirus products usually don’t have the capability to inspect firmware. Even if they did, it would be extremely challenging to detect and remediate threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. +Infections of this type can be particularly difficult to detect because most antivirus products don’t have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. ## Type II: Indirect file activity diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png new file mode 100644 index 0000000000..e4b306fd92 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index c49d6a763f..6cc3ece08f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,6 +1,6 @@ --- title: Protect security settings with tamper protection -ms.reviewer: shwjha +ms.reviewer: shwjha, hayhov manager: dansimp description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 10/08/2020 +ms.date: 10/14/2020 --- # Protect security settings with tamper protection @@ -136,22 +136,24 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). -2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**. +2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
    -3. Configure tamper protection as part of the new policy. + - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. + + - In the **Profile** list, select **Windows Security experience (preview)**.
    + + The following screenshot illustrates how to create your policy: -4. Deploy the policy to your device collection. + :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager"::: + +3. Deploy the policy to your device collection. Need help? See the following resources: -- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) - - [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) -- [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) - ## View information about tampering attempts @@ -161,7 +163,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen ![Microsoft Defender Security Center](images/tamperattemptalert.png) -Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts. ## Review your security recommendations @@ -179,7 +181,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). @@ -189,13 +191,13 @@ No. Third-party antivirus offerings will continue to register with the Windows S ### What happens if Microsoft Defender Antivirus is not active on a device? -Tamper protection will not have any impact on such devices. +Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features. ### How can I turn tamper protection on/off? If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: +If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: - [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) @@ -216,9 +218,9 @@ Some sample Microsoft Defender Antivirus settings: Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
    Value `DisableRealtimeMonitoring` = 0 -### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? +### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? @@ -226,9 +228,9 @@ If you are using tenant attach, you can use Microsoft Endpoint Configuration Man ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? -Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by tamper protection; such change requests are ignored. @@ -236,9 +238,9 @@ You won’t be able to change the features that are protected by tamper protecti No. Local admins cannot change or modify tamper protection settings. -### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state? +### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state? -In this case, tamper protection status changes, and this feature is no longer applied. +If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices. ### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? @@ -254,6 +256,6 @@ In addition, your security operations team can use hunting queries, such as the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md new file mode 100644 index 0000000000..b1576974be --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -0,0 +1,80 @@ +--- +title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# AssignedIPAddresses() + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. + +This function returns a table with the following columns: + +Column | Data type | Description +-|-|- +`Timestamp` | datetime | Latest time when the device was observed using the IP address +`IPAddress` | string | IP address used by the device +`IPType` | string | Indicates whether the IP address is a public or private address +`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype) +`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet + +## Syntax + +```kusto +AssignedIPAddresses(x, y) +``` + +## Arguments + +- **x**—`DeviceId` or `DeviceName` value identifying the device +- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses. + +## Examples + +### Get the list of IP addresses used by a device 24 hours ago + +```kusto +AssignedIPAddresses('example-device-name', ago(1d)) +``` + +### Get IP addresses used by a device and find devices communicating with it + +This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices. + +```kusto +let Date = datetime(example-date); +let DeviceName = "example-device-name"; +// List IP addresses used on or before the specified date +AssignedIPAddresses(DeviceName, Date) +| project DeviceName, IPAddress, AssignedTime = Timestamp +// Get all network events on devices with the assigned IP addresses as the destination addresses +| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP +// Get only network events around the time the IP address was assigned +| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h)) +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 55a5df13d1..6ddbe3d3a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -13,7 +13,7 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: m365-security-compliance ms.topic: article --- @@ -21,14 +21,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) ## Optimize query performance -Apply these recommendations to get results faster and avoid timeouts while running complex queries. + +Apply these recommendations to get results faster and avoid timeouts while running complex queries. + - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. - Use time filters first. Ideally, limit your queries to seven days. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. @@ -43,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs + Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. @@ -57,6 +60,7 @@ DeviceNetworkEvents The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. ### Queries with command lines + Command lines can vary. When applicable, filter on file names and do fuzzy matching. There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces. @@ -87,9 +91,12 @@ DeviceProcessEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) ## Related topics + - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md new file mode 100644 index 0000000000..371cfbed8c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -0,0 +1,48 @@ +--- +title: Extend advanced hunting coverage with the right settings +description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting +keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/10/2020 +--- + +# Extend advanced hunting coverage with the right settings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. + +## Advanced security auditing on Windows devices + +Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation. + +Data | Description | Schema table | How to configure +-|-|-|- +Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md new file mode 100644 index 0000000000..f2f93bf6a2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -0,0 +1,85 @@ +--- +title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# FileProfile() + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. + +Column | Data type | Description +-|-|- +SHA1 | string | SHA-1 of the file that the recorded action was applied to +SHA256 | string | SHA-256 of the file that the recorded action was applied to +MD5 | string | MD5 hash of the file that the recorded action was applied to +FileSize | int | Size of the file in bytes +GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally +GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally +GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally +Signer | string | Information about the signer of the file +Issuer | string | Information about the issuing certificate authority (CA) +SignerHash | string | Unique hash value identifying the signer +IsCertificateValid | boolean | Whether the certificate used to sign the file is valid +IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft +IsExecutable | boolean | Whether the file is a Portable Executable (PE) file +ThreatName | string | Detection name for any malware or other threats found +Publisher | string | Name of the organization that published the file +SoftwareName | string | Name of the software product + +## Syntax + +```kusto +invoke FileProfile(x,y) +``` + +## Arguments + +- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified +- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified + +## Examples + +### Project only the SHA1 column and enrich it + +```kusto +DeviceFileEvents +| where isnotempty(SHA1) and Timestamp > ago(1d) +| take 10 +| project SHA1 +| invoke FileProfile() +``` + +### Enrich the first 500 records and list low-prevalence files + +```kusto +DeviceFileEvents +| where ActionType == "FileCreated" and Timestamp > ago(1d) +| project CreatedOn = Timestamp, FileName, FolderPath, SHA1 +| invoke FileProfile("SHA1", 500) +| where GlobalPrevalence < 15 +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md new file mode 100644 index 0000000000..cab2d3160b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -0,0 +1,107 @@ +--- +title: Get relevant info about an entity with go hunt +description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting. +keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: +- NOCSH +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Quickly hunt for entity or event information with go hunt + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. + +The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections: + +- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device. + + ![Image showing device details with the go hunt option](./images/go-hunt-device.png) + +- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity. + + ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png) + +- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting. + + ![Image showing event details with the go hunt option](./images/go-hunt-event.png) + +Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event. + +## Query for entity information + +When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident. + +Here is an example of the go hunt query for a device: + +```kusto +let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z); +let deviceName = "fv-az770.example.com"; +let deviceId = "device-guid"; +search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents) +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +and DeviceName == deviceName +// or RemoteDeviceName == deviceName +// or DeviceId == deviceId +| take 100 +``` + +### Supported entity types + +You can use *go hunt* after selecting any of these entity types: + +- Files +- Users +- Devices +- IP addresses +- URLs + +## Query for event information + +When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device: + +```kusto +// List relevant events 30 minutes before and after selected RegistryValueSet event +let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z); +search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents) + Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m)) + and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4" +| sort by Timestamp desc +| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event")) +| project-reorder Relevance +``` + +## Adjust the query + +With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window: + +```kusto +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +``` + +In addition to modifying the query to get more relevant results, you can also: + +- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart) +- [Create a custom detection rule](custom-detection-rules.md) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detection rules](custom-detection-rules.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 576f8e6c89..19ef98383c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -28,18 +28,20 @@ ms.topic: article Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. +Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. +
    +
    + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] + You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. >[!TIP] >Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) ## Get started with advanced hunting -Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. -

    -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] - -You can also go through each of the following steps to ramp up your advanced hunting knowledge. +Go through the following steps to ramp up your advanced hunting knowledge. We recommend going through several steps to quickly get up and running with advanced hunting. @@ -50,18 +52,24 @@ We recommend going through several steps to quickly get up and running with adva | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) | | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | | **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
    - [Handle errors](advanced-hunting-errors.md) | +| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) | +| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) | +| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) | | **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
    - [Custom detection rules](custom-detection-rules.md) | ## Data freshness and update frequency + Advanced hunting data can be categorized into two distinct types, each consolidated differently. - **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP. - **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. ## Time zone + Time information in advanced hunting is currently in the UTC time zone. ## Related topics + - [Learn the query language](advanced-hunting-query-language.md) - [Work with query results](advanced-hunting-query-results.md) - [Use shared queries](advanced-hunting-shared-queries.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 7003a2670e..2d83c38459 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -21,13 +21,12 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query. ## Try your first query @@ -52,26 +51,21 @@ union DeviceProcessEvents, DeviceNetworkEvents FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` - -This is how it will look like in advanced hunting. - -![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png) - +**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)** ### Describe the query and specify the tables to search -A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. +A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization. ```kusto // Finds PowerShell execution events that could involve a download ``` - -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. +The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. ```kusto union DeviceProcessEvents, DeviceNetworkEvents ``` ### Set the time range -The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. +The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out. ```kusto | where Timestamp > ago(7d) @@ -80,7 +74,7 @@ The first piped element is a time filter scoped to the previous seven days. Keep ### Check specific processes The time range is immediately followed by a search for process file names representing the PowerShell application. -``` +```kusto // Pivoting on PowerShell processes | where FileName in~ ("powershell.exe", "powershell_ise.exe") ``` @@ -101,7 +95,7 @@ Afterwards, the query looks for strings in command lines that are typically used ``` ### Customize result columns and length -Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. +Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. ```kusto | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, @@ -109,7 +103,7 @@ FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` -Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. +Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results. ![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png) @@ -118,7 +112,7 @@ Click **Run query** to see the results. Select the expand icon at the top right ## Learn common query operators for advanced hunting -Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. +You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. | Operator | Description and usage | |--|--| @@ -137,15 +131,17 @@ To see a live example of these operators, run them from the **Get started** sect ## Understand data types -Data in advanced hunting tables are generally classified into the following data types. +Advanced hunting supports Kusto data types, including the following common types: | Data type | Description and query implications | |--|--| -| `datetime` | Data and time information typically representing event timestamps | -| `string` | Character string | -| `bool` | True or false | -| `int` | 32-bit numeric value | -| `long` | 64-bit numeric value | +| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) | +| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) | +| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) | +| `int` | 32-bit integer | +| `long` | 64-bit integer | + +To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/). ## Get help as you write queries Take advantage of the following functionality to write queries faster: @@ -155,7 +151,7 @@ Take advantage of the following functionality to write queries faster: - **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries ## Work with multiple queries in the editor -The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries: +You can use the query editor to experiment with multiple queries. To use multiple queries: - Separate each query with an empty line. - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**. @@ -171,7 +167,7 @@ The **Get started** section provides a few simple queries using commonly used op ![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png) > [!NOTE] -> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. +> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries). ## Access comprehensive query language reference @@ -180,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md) +- [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index 97391fa308..b06237a57a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -116,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your ## Drill down from query results To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity. +To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record: + +- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels +- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees. +- **All details** — Lists all the values from the columns in the record + ## Tweak your queries from the results Right-click a value in the result set to quickly enhance your query. You can use the options to: @@ -126,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use ![Image of advanced hunting result set](images/advanced-hunting-results-filter.png) ## Filter the query results -The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. +The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances. -Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**. +Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**. ![Image of advanced hunting filter](images/advanced-hunting-filter.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 6a0361489c..c41443181f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -69,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | + ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Work with query results](advanced-hunting-query-results.md) - [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) - [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 4eb3858c7f..46610a6772 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -43,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha ![Image of saving a query](images/advanced-hunting-save-query.png) 4. Select the folder where you'd like to save the query. - - **Shared queries** — shared to all users in the your organization + - **Shared queries** — shared to all users in your organization - **My queries** — accessible only to you 5. Select **Save**. @@ -67,3 +67,7 @@ Microsoft security researchers regularly share advanced hunting queries in a [de ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md new file mode 100644 index 0000000000..b06baf7444 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -0,0 +1,82 @@ +--- +title: Take action on advanced hunting query results in Microsoft Threat Protection +description: Quickly address threats and affected assets in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# Take action on advanced hunting query results + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can: + +- Take various actions on devices +- Quarantine files + +## Required permissions + +To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: + +*Active remediation actions > Threat and vulnerability management - Remediation handling* + +## Take various actions on devices + +You can take the following actions on devices identified by the `DeviceId` column in your query results: + +- Isolate affected devices to contain an infection or prevent attacks from moving laterally +- Collect investigation package to obtain more forensic information +- Run an antivirus scan to find and remove threats using the latest security intelligence updates +- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices +- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables + +To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md). + +## Quarantine files + +You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine: + +- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file. +- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. +- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column. +- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column. + +To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md). + +>[!NOTE] +>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers. + +## Take action + +To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions. + +![Image of selected record with panel for inspecting the record](images/ah-take-actions.png) + +## Review actions taken + +Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action. + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index e8bb4f8847..6edfd475aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index 079bb71234..b70734bf7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md index a989d91d73..d2d946c3fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 19a2f46e0c..b8454c4935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -72,6 +72,8 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index bca632927a..0a77813dd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -12,7 +12,9 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.date: 09/24/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index d422058827..ef999e9cca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -15,7 +15,9 @@ ms.date: 09/30/2020 ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.custom: AIR diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index e9516735d3..8d29204276 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -16,6 +16,8 @@ ms.custom: - next-gen - edr ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint --- # Behavioral blocking and containment diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index fee9bbd249..52e97e1b70 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -16,6 +16,8 @@ ms.custom: - next-gen - edr ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint --- # Client behavioral blocking diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index 82e701c6e9..2f52d63533 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -40,7 +40,7 @@ You'll need to know the exact Linux distros and macOS versions that are compatib You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding: - - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac). + - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index edc7d67d77..2372dd38c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -37,14 +37,14 @@ Based on the version of Configuration Manager you're running, the following clie #### Configuration Manager version 1910 and prior -- Clients computers running Windows 10, version 1607 and later +- Clients computers running Windows 10 #### Configuration Manager version 2002 and later Starting in Configuration Manager version 2002, you can onboard the following operating systems: - Windows 8.1 -- Windows 10, version 1607 or later +- Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2016, version 1803 or later diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 7503ffcee1..23f1b28355 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -14,7 +14,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index d115e3867d..12c3637695 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 38b47a18f9..0ddcd8c630 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -37,14 +37,6 @@ ms.topic: article Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. -The service supports the onboarding of the following Windows servers: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server (SAC) version 1803 and later -- Windows Server 2019 and later -- Windows Server 2019 core edition - For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). @@ -54,16 +46,36 @@ For guidance on how to download and use Windows Security Baselines for Windows s You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: -- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center) +- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) + + +After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + > [!NOTE] > Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -### Option 1: Onboard Windows servers through Microsoft Defender Security Center -Perform the following steps to onboard Windows servers through Microsoft Defender Security Center: +### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +You'll need to install and configure MMA for Windows servers to report sensor data to Microsoft Defender ATP. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + +In general, you'll need to take the following steps: +1. Fulfill the onboarding requirements outlined in **Before you begin** section. +2. Turn on server monitoring from Microsoft Defender Security center. +3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP. +4. Configure and update System Center Endpoint Protection clients. + + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). + + +#### Before you begin +Perform the following steps to fulfill the onboarding requirements: - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) @@ -77,32 +89,6 @@ Perform the following steps to onboard Windows servers through Microsoft Defende > [!NOTE] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal). - - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. - - Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). - -> [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). - -### Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - - -### Turn on Server monitoring from the Microsoft Defender Security Center portal - -1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. - -2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. @@ -115,16 +101,21 @@ The following steps are required to enable this integration: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). -Once completed, you should see onboarded Windows servers in the portal within an hour. -### Configure Windows server proxy and Internet connectivity settings +### Configure Windows server proxy and Internet connectivity settings if needed +If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server: -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) + +- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) + +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Microsoft Defender ATP service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. + +Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -135,9 +126,15 @@ Once completed, you should see onboarded Windows servers in the portal within an 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + + + ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -201,6 +198,17 @@ Data collected by Microsoft Defender ATP is stored in the geo-location of the te Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +## Configure and update System Center Endpoint Protection clients + +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + + + ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 79ab34fce9..4edd3585e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -16,6 +16,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/20/2020 --- # Create custom detection rules @@ -23,30 +24,36 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). +Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). -## 1. Check required permissions +> [!NOTE] +> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. - -## 2. Prepare the query +## 1. Prepare the query. In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. >[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. - ### Required columns in the query results -To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. +To use a query for a custom detection rule, the query must return the following columns: -The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +- `Timestamp` +- `DeviceId` +- `ReportId` + +Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. + +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. + +The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto DeviceEvents @@ -56,7 +63,10 @@ DeviceEvents | where count_ > 5 ``` -## 3. Create new rule and provide alert details +> [!TIP] +> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data. + +## 2. Create a new rule and provide alert details. With the query in the query editor, select **Create detection rule** and specify the following alert details: @@ -67,36 +77,52 @@ With the query in the query editor, select **Create detection rule** and specify - **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) - **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software - **Description**—more information about the component or activity identified by the rule -- **Recommended actions**—additional actions that responders might take in response to an alert +- **Recommended actions**—additional actions that responders might take in response to an alert For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). ### Rule frequency -When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: + +When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: - **Every 24 hours**—runs every 24 hours, checking data from the past 30 days - **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!TIP] +> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored. + Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -## 4. Specify actions on files or devices +## 3. Choose the impacted entities. + +Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions. + +You can select only one column for each entity type. Columns that are not returned by your query can't be selected. + +## 4. Specify actions. + Your custom detection rule can automatically take actions on files or devices that are returned by the query. ### Actions on devices + These actions are applied to devices in the `DeviceId` column of the query results: + - **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device ### Actions on files + These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: + - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file**—deletes the file from its current location and places a copy in quarantine -## 5. Set the rule scope +## 5. Set the rule scope. + Set the scope to specify which devices are covered by the rule: - All devices @@ -104,12 +130,15 @@ Set the scope to specify which devices are covered by the rule: Only data from devices in scope will be queried. Also, actions will be taken only on those devices. -## 6. Review and turn on the rule +## 6. Review and turn on the rule. + After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. +You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Related topics -- [View and manage detection rules](custom-detections-manage.md) + +- [View and manage custom detection rules](custom-detections-manage.md) - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a92e2b43c4..b5679d1756 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -16,6 +16,9 @@ ms.custom: - next-gen - edr ms.date: 08/21/2020 +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint --- # Endpoint detection and response (EDR) in block mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index d8b5e85940..4d724bc3ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png new file mode 100644 index 0000000000..daf9714d6e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png new file mode 100644 index 0000000000..71d8f65d88 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png new file mode 100644 index 0000000000..cf3c5d405a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png new file mode 100644 index 0000000000..a489b3c7b9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png new file mode 100644 index 0000000000..6af1526538 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png new file mode 100644 index 0000000000..35c8dbc5f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png new file mode 100644 index 0000000000..310f1cb878 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png deleted file mode 100644 index dd5df1eee4..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 892f860dff..1b20360ecd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 0738fd810b..37ca52cd85 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 65739231df..7bd899fd9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 0c25dc5114..f5c2fcb4ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 2c7b5a46cc..419b64c153 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index 5bcdb3f2c1..fb1109d764 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 6e97ffcfa7..5419c76996 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index dd1a9f6766..7593f22e63 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 6f499c34c0..87bac34185 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -12,7 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 95350170ab..abb45e662b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md index d4f6077795..be3fe61fbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md deleted file mode 100644 index f775848c86..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Microsoft Defender ATP for iOS note on Privacy -ms.reviewer: -description: Describes the Microsoft Defender ATP for iOS Privacy -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: sunasing -author: sunasing -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -hideEdit: true ---- - -# Microsoft Defender ATP for iOS note on Privacy - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -## What information can my organization see when I use Microsoft Defender ATP on iOS - -Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks. - -**What your organization can never see:** - -- Calling and web browsing history -- Email and text messages -- Contacts -- Calendar -- Passwords -- Pictures, including what's in the photos app or camera roll -- Files - -**What your organization can see:** - -- Malicious Connections that were blocked by Microsoft Defender ATP -- Device model, like iPhone 11 -- Operating system and version, like iOS 12.0.1 -- Device name -- Device serial number - -## VPN Usage - -Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. - -## More on Privacy - -[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement) - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md new file mode 100644 index 0000000000..1bef25da5f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -0,0 +1,78 @@ +--- +title: Microsoft Defender ATP for iOS note on Privacy +ms.reviewer: +description: Describes the Microsoft Defender ATP for iOS Privacy +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: sunasing +author: sunasing +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +hideEdit: true +--- + +# Microsoft Defender ATP for iOS - Privacy information + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md) + +>[!NOTE] +> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. + +Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP. + +Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service. + +## Required data + +Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: + +### Web page / Network information + +- Connection information +- Protocol type (such as HTTP, HTTPS, etc.) + +### Device and account information + +- Device information such as date & time, iOS version, CPU info, and Device identifier +- Device identifier is one of the below: + - Wi-Fi adapter MAC address + - Randomly generated globally unique identifier (GUID) + +- Tenant, Device, and User information + - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory. + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory + - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted + - User Principal Name - Email ID of the user + +### Product and service usage data + +- App package info, including name, version, and app upgrade status +- Actions performed in the app +- Crash report logs generated by iOS +- Memory usage data + +## Optional data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage +- Features configured by the admin + +**Feedback Data** is collected through in-app feedback provided by the user. + +- The user's email address, if they choose to provide it +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user + +[More on Privacy](https://aka.ms/mdatpiosprivacystatement) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md index 6969f1c941..39f57d1213 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -14,7 +14,9 @@ author: sunasing ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual hideEdit: true --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index baf41c376e..8bee109c6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 9d3a0f6ab6..3012e87c2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 4e622f504d..2cc5610a4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index a89c89272b..68fe2b6926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 22cebfbcda..e2944beb87 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md index 40ac81e1d0..58b9c14323 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index e79f91ce6c..7c779b7d9d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index d2df9ea151..d3b7796378 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 81de10526e..3406767afa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 5453c8c205..15d0e69c78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index e0c27b4a46..8390f37105 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +mms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md index adc018682b..dd01c882b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index 302d9c6717..8e290c8ff5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 2399987032..3eeb408c4d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md index 49c40a09a3..59d65172e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index db852ca545..3f720e90e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index d7a00dd754..a1fd86434f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -195,7 +197,7 @@ To approve the system extensions: 9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. -10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. +10. To allow Microsoft Defender ATP for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. 11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index f0d4ab8a8a..b02fdd72d5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 1f4d373697..1e43a13d07 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -13,7 +13,9 @@ author: maximvelichko ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index 0c869e76e4..04cb07cd04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md index fd353eceb3..ffd3980a4a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 10411a985d..a56afd0ef7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index a85c712b92..ec94cef29a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 5bb254d10c..42d1a1e3fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index e13d95555f..266a05a30f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 2aafa7220d..83030035f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -44,6 +46,9 @@ If you can reproduce a problem, increase the logging level, run the system for s 3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. + > [!TIP] + > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory. + ```bash sudo mdatp diagnostic create ``` @@ -97,7 +102,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` | |Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` | |Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` | |Health |Check the product's health |`mdatp health` | |Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` | |Protection |Scan a path |`mdatp scan custom --path [path]` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index 5fde32aab8..fdad212625 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md index feb636fd2d..f4a32380f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index f773e91875..d369e94d36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md index 72cfd50ff0..a05f815303 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 04cfb43c25..385a3fddb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 24c22d7bd0..f53075c405 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual ROBOTS: noindex,nofollow --- @@ -62,7 +64,7 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender >JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. >As such, the following steps provide a workaround that involve signing the configuration profile. -1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` +1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` using a text editor: ```xml @@ -125,21 +127,38 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender ``` -2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`: +2. Verify that the above file was copied correctly by running the `plutil` utility in the Terminal: ```bash - $ plutil -lint com.microsoft.network-extension.mobileconfig - com.microsoft.network-extension.mobileconfig: OK + $ plutil -lint /com.microsoft.network-extension.mobileconfig ``` -3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority - -4. After the certificate is created and installed to your device, run the following command from the Terminal: + For example, if the file was stored in Documents: ```bash - $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig + $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig ``` + + Verify that the command outputs `OK`. + + ```bash + /com.microsoft.network-extension.mobileconfig: OK + ``` + +3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority. +4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: + + ```bash + $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + ``` + + For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: + + ```bash + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + ``` + 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. ## Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 27ec242709..86a435cc65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual ROBOTS: noindex,nofollow --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index a356d8d895..740aaacb77 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 7748721340..98c20cb71d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -13,7 +13,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -41,6 +43,21 @@ ms.topic: conceptual > 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). > 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +## 101.09.50 + +- This product version has been validated on macOS Big Sur 11 beta 9 + + > [!IMPORTANT] + > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. + +- The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line) + + > [!NOTE] + > The old command-line tool syntax will be removed from the product on **January 1st, 2021**. + +- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory +- Performance improvements & bug fixes + ## 101.09.49 - User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index e2bb55c2a6..233c410881 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -41,7 +41,7 @@ Method|Return Type |Description [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID -[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). +[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md). ## Properties @@ -61,8 +61,8 @@ rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). +aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'. +deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 116cc0e459..ab130cb910 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -13,7 +13,9 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual ms.date: 09/15/2020 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 1755204179..458c0798ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 05f77e6b94..04dc76e4e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article -ms.date: 10/08/2018 --- # Manage Microsoft Defender ATP incidents diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md index a382a8463d..4b4a872950 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md index ed5256954e..118ea48672 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 1e0b400707..ea21452763 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 7d4487ffaf..06899fd04e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -14,7 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md index ee826bd394..e04a02313b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 9831cb1cf8..4aed901842 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -14,7 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index d934a67ccf..3e712cd6f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -61,7 +61,7 @@ For detailed licensing information, see the [Product Terms site](https://www.mic For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). -For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559). +For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf). ## Browser requirements Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: @@ -80,12 +80,11 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows 7 SP1 Pro - Windows 8.1 Enterprise - Windows 8.1 Pro -- Windows 10, version 1607 or later - - Windows 10 Enterprise - - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/) - - Windows 10 Education - - Windows 10 Pro - - Windows 10 Pro Education +- Windows 10 Enterprise +- [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/) +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows server - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index a0f4515971..bfa0cb7041 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -21,7 +21,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -42,63 +41,49 @@ Threat and vulnerability management is built in, real time, and cloud powered. I Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager. -It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication: - -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Linked device vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Configuration Manager - ### Real-time discovery To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead. It also provides: -- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. -- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making. -- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. +- **Real-time device inventory** - Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- **Visibility into software and vulnerabilities** - Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- **Application runtime context** - Visibility on application usage patterns for better prioritization and decision-making. +- **Configuration posture** - Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. ### Intelligence-driven prioritization -Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context: +Threat and vulnerability management helps customers prioritize and focus on the weaknesses that pose the most urgent and the highest risk to the organization. It fuses security recommendations with dynamic threat and business context: -- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. -- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users. +- **Exposing emerging attacks in the wild** - Dynamically aligns the prioritization of security recommendations. Threat and vulnerability management focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. +- **Pinpointing active breaches** - Correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization. +- **Protecting high-value assets** - Identify the exposed devices with business-critical applications, confidential data, or high-value users. ### Seamless remediation -Microsoft Defender ATP's threat and vulnerability management capability allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +Threat and vulnerability management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. -- Alternate mitigations. Threat and vulnerability management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. -- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. +- **Remediation requests sent to IT** - Create a remediation task in Microsoft Intune from a specific security recommendation. We plan to expand this capability to other IT security management platforms. +- **Alternate mitigations** - Gain insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- **Real-time remediation status** - Real-time monitoring of the status and progress of remediation activities across the organization. -## Reduce organizational risk with threat and vulnerability management +## Threat and vulnerability management walk-through Watch this video for a comprehensive walk-through of threat and vulnerability management. >[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide] -## Before you begin +## Navigation pane -Ensure that your devices: - -- Are onboarded to Microsoft Defender Advanced Threat Protection -- Run [supported operating systems and platforms](tvm-supported-os.md) -- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: - -> Release | Security update KB number and link -> :---|:--- -> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) -> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) -> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) -> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - -- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version. -- Have at least one security recommendation that can be viewed in the device page -- Are tagged or marked as co-managed +Area | Description +:---|:--- +**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Remediation**](tvm-remediation.md) | See remediation activities you've created and recommendation exceptions. +[**Software inventory**](tvm-software-inventory.md) | See the list of vulnerable software in your organization, along with weakness and threat information. +[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures (CVEs) in your organization. +[**Event timeline**](threat-and-vuln-mgt-event-timeline.md) | View events that may impact your organization's risk. ## APIs @@ -118,14 +103,4 @@ See the following articles for related APIs: - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index e67120d349..4443433ac4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -21,6 +23,8 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +>[!IMPORTANT] +>The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 38400901cd..078b9f44ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: -```syntax +```http POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 Host: login.microsoftonline.com @@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De ### Request example The following example demonstrates how to retrieve all the detections in your organization. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer ``` The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 Authorization: Bearer ``` @@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format. Here is an example return value: ```json -{"AlertTime":"2017-01-23T07:32:54.1861171Z", -"ComputerDnsName":"desktop-bvccckk", -"AlertTitle":"Suspicious PowerShell commandline", -"Category":"SuspiciousActivity", -"Severity":"Medium", -"AlertId":"636207535742330111_-1114309685", -"Actor":null, -"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685", -"IocName":null, -"IocValue":null, -"CreatorIocName":null, -"CreatorIocValue":null, -"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9", -"FileName":"powershell.exe", -"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", -"IpAddress":null, -"Url":null, -"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68", -"UserName":null, -"AlertPart":0, -"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF", -"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z", -"ThreatCategory":null, -"ThreatFamily":null, -"ThreatName":null, -"RemediationAction":null, -"RemediationIsSuccess":null, -"Source":"Microsoft Defender ATP", -"Md5":null, -"Sha256":null, -"WasExecutingWhileDetected":null, -"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9", -"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"} +[ +{ + "AlertTime": "2020-09-30T14:09:20.35743Z", + "ComputerDnsName": "mymachine1.domain.com", + "AlertTitle": "Suspicious File Activity", + "Category": "Malware", + "Severity": "High", + "AlertId": "da637370718981685665_16349121", + "Actor": "", + "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121", + "IocName": "", + "IocValue": "", + "CreatorIocName": "", + "CreatorIocValue": "", + "Sha1": "aabbccddee1122334455aabbccddee1122334455", + "FileName": "cmdParent.exe", + "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty", + "IpAddress": "", + "Url": "", + "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725", + "UserName": "", + "AlertPart": 0, + "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=", + "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z", + "ThreatCategory": "", + "ThreatFamily": "", + "ThreatName": "", + "RemediationAction": "", + "RemediationIsSuccess": null, + "Source": "EDR", + "Md5": "854b85cbff2752fcb88606bca76f83c6", + "Sha256": "", + "WasExecutingWhileDetected": null, + "UserDomain": "", + "LogOnUsers": "", + "MachineDomain": "domain.com", + "MachineName": "mymachine1", + "InternalIPv4List": "", + "InternalIPv6List": "", + "FileHash": "aabbccddee1122334455aabbccddee1122334455", + "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0", + "MachineGroup": "", + "Description": "Test Alert", + "DeviceCreatedMachineTags": "", + "CloudCreatedMachineTags": "", + "CommandLine": "", + "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ReportID": 1053729833, + "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121", + "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3", + "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=" +} +] ``` ## Code examples diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index b956165700..55fe2974c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -11,7 +11,9 @@ author: danihalfin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual ms.date: 5/1/2020 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index a902dc094d..1d8c035b5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -29,7 +29,9 @@ ms.topic: article ## Limitations 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. -3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day. +3. The number of executions is limited per tenant: + - API calls: Up to 15 calls per minute + - Execution time: 10 minutes of running time every hour and 4 hours of running time a day 4. The maximal execution time of a single request is 10 minutes. 5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 257fb9494d..a40530476f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 65012f7ca0..4aab887418 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -28,7 +28,7 @@ ms.topic: article ## API description Set the device value of a specific [Machine](machine.md).
    -See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information. +See [assign device values](tvm-assign-device-value.md) for more information. ## Limitations diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index caf55924e5..bdb20dff52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -14,7 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 3ad5cff1e5..9bdcb3b301 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -13,7 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- # Event timeline - threat and vulnerability management @@ -28,35 +30,30 @@ ms.topic: conceptual Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more. -Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). +Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). ## Navigate to the Event timeline page -You can access Event timeline mainly through three ways: +There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md): -- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center -- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities) -- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- **Organization exposure score card**: Hover over the event dots in the "Exposure Score over time" graph and select "See all events from this day." The events represent software vulnerabilities. +- **Microsoft Secure Score for Devices**: Hover over the event dots in the "Your score for devices over time" graph and select "See all events from this day." The events represent new configuration assessments. +- **Top events card**: Select "Show more" at the bottom of the top events table. The card displays the three most impactful events in the last 7 days. Impactful events can include if the event affects a large number of devices, or if it is a critical vulnerability. -### Navigation menu +### Exposure score and Microsoft Secure Score for Devices graphs -Go to the threat and vulnerability management navigation menu and select **Event timeline** to view impactful events. +In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top software vulnerability events from that day that impacted your devices. Hover over the Microsoft Secure Score for Devices graph to view new security configuration assessments that affect your score. -### Top events card +If there are no events that affect your devices or your score for devices, then none will be shown. -In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page. +![Exposure score hover](images/tvm-event-timeline-exposure-score350.png) +![Microsoft Secure Score for Devices hover](images/tvm-event-timeline-device-hover360.png) -![Event timeline page](images/tvm-top-events-card.png) - -### Exposure score graph - -In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown. - -![Event timeline page](images/tvm-event-timeline-exposure-score400.png) +### Drill down to events from that day Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day. -![Event timeline page](images/tvm-event-timeline-drilldown.png) +![Event timeline selected custom date range](images/tvm-event-timeline-drilldown.png) Select **Custom range** to change the date range to another custom one, or a pre-set time range. @@ -76,9 +73,6 @@ The two large numbers at the top of the page show the number of new vulnerabilit ![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png) ->[!NOTE] ->Event type called "New configuration assessment" coming soon. - ### Columns - **Date**: month, day, year @@ -91,6 +85,7 @@ The two large numbers at the top of the page show the number of new vulnerabilit - Exploit was verified - New public exploit - New vulnerability + - New configuration assessment - **Score trend**: exposure score trend ### Icons @@ -100,7 +95,7 @@ The following icons show up next to events: - ![bug icon](images/tvm-black-bug-icon.png) New public exploit - ![report warning icon](images/report-warning-icon.png) New vulnerability was published - ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit -- ![bug icon](images/bug-caution-icon2.png) Exploit verified +- ![bug icon with warning icon](images/bug-caution-icon2.png) Exploit verified ### Drill down to a specific event @@ -110,7 +105,7 @@ The arrow below "score trend" helps you determine whether this event potentially ![Event timeline flyout](images/tvm-event-timeline-flyout500.png) -From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md). +From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md). ## View Event timelines in software pages @@ -127,17 +122,9 @@ Navigate to the event timeline tab to view all the events related to that softwa ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) +- [Remediate vulnerabilities](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Advanced hunting overview](overview-hunting.md) -- [All advanced hunting tables](advanced-hunting-reference.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md new file mode 100644 index 0000000000..9c96e86336 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md @@ -0,0 +1,67 @@ +--- +title: Assign device value - threat and vulnerability management +description: Learn how to assign a low, normal, or high value to a device to help you differentiate between asset priorities. +keywords: microsoft defender atp device value, threat and vulnerability management device value, high value devices, device value exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: article +--- + +# Assign device value - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices assigned as “high value” will receive more weight. + +You can also use the [set device value API](set-device-value.md). + +Device value options: + +- Low +- Normal (Default) +- High + +Examples of devices that should be assigned a high value: + +- Domain controllers, Active Directory +- Internet facing devices +- VIP devices +- Devices hosting internal/external production services + +## Choose device value + +1. Navigate to any device page, the easiest place is from the device inventory. + +2. Select **Device value** from three dots next to the actions bar at the top of the page. + ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) + +

    + +3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. +![Example of the device value flyout.](images/tvm-device-value-flyout.png) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 00d85e1d60..14b16d1a11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,5 +1,5 @@ --- -title: Threat and vulnerability management dashboard insights +title: Dashboard insights - threat and vulnerability management description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 @@ -13,14 +13,15 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- -# Threat and vulnerability management dashboard insights +# Dashboard insights - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -47,24 +48,10 @@ Watch this video for a quick overview of what is in the threat and vulnerability >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv] -## Threat and vulnerability management in Microsoft Defender Security Center +## Threat and vulnerability management dashboard ![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png) -You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. - -## Threat and vulnerability management navigation pane - -Area | Description -:---|:--- -**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. -[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. -[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates). -[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. - -## Threat and vulnerability management dashboard - Area | Description :---|:--- **Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages. @@ -81,14 +68,9 @@ For more information on the icons used throughout the portal, see [Microsoft Def ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md new file mode 100644 index 0000000000..cbc9cc0924 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md @@ -0,0 +1,70 @@ +--- +title: Plan for end-of-support software and software versions +description: Discover and plan for software and software versions that are no longer supported and won't receive security updates. +keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- +# Plan for end-of-support software and software versions with threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. + +It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. + +## Find software or software versions that are no longer supported + +1. From the threat and vulnerability management menu, navigate to [**Security recommendations**](tvm-security-recommendation.md). +2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions.](images/tvm-eos-tag.png) + +3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. + + ![Recommendations with EOS tag.](images/tvm-eos-tags-column.png) + +## List of versions and dates + +To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: + +1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. + + ![Screenshot of version distribution link.](images/eos-upcoming-eos.png) + +2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. + + ![Screenshot of software drilldown page with end of support software.](images/software-drilldown-eos.png) + +3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. + + ![Screenshot of end of support date.](images/version-eos-date.png) + +Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Software inventory](tvm-software-inventory.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md new file mode 100644 index 0000000000..8b0dad82a1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -0,0 +1,97 @@ +--- +title: Create and view exceptions for security recommendations - threat and vulnerability management +description: Create and monitor exceptions for security recommendations in threat and vulnerability management. +keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- +# Create and view exceptions for security recommendations - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception. + +When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list. + +## Create an exception + +1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). + +2. Select a security recommendation you would like to create an exception for, and then **Exception options**. +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) + +3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + + The following list details the justifications behind the exception options: + + - **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive + - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + +4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. + +## View your exceptions + +When you file for an exception from the security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). + +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. + +![Example of the exception page and filter options.](images/tvm-exception-filters.png) + +### Exception actions and statuses + +Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**. + +The following statuses will be a part of an exception: + +- **Canceled** - The exception has been canceled and is no longer in effect +- **Expired** - The exception that you've filed is no longer in effect +- **In effect** - The exception that you've filed is in progress + +### Exception impact on scores + +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: + +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. +- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. + +The exception impact shows on both the Security recommendations page column and in the flyout pane. + +![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) + +### View exceptions in other places + +Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Remediate vulnerabilities](tvm-remediation.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Exposure score](tvm-exposure-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 28da6b8c57..f4e3899906 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -13,7 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- # Exposure score - threat and vulnerability management @@ -63,14 +65,6 @@ Lower your threat and vulnerability exposure by remediating [security recommenda ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md similarity index 56% rename from windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md rename to windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md index 85d599cd64..9ed8b6cbca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md @@ -1,5 +1,5 @@ --- -title: Scenarios - threat and vulnerability management +title: Hunt for exposed devices description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate. keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh @@ -13,24 +13,37 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- -# Scenarios - threat and vulnerability management +# Hunt for exposed devices - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] +## Use advanced hunting to find devices with vulnerabilities -## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit +Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. [Learn more about advanced hunting](advanced-hunting-overview.md) + +### Schema tables + +- [DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md) - Inventory of software on devices as well as any known vulnerabilities in these software products + +- [DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md) - Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available + +- [DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md) - Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices + +- [DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md) - Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks + +## Check which devices are involved in high severity alerts 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -53,50 +66,10 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ``` -## Define a device's value to the organization - -Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight. - -You can also use the [set device value API](set-device-value.md). - -Device value options: - -- Low -- Normal (Default) -- High - -Examples of devices that should be marked as high value: - -- Domain controllers, Active Directory -- Internet facing devices -- VIP devices -- Devices hosting internal/external production services - -### Set device value - -1. Navigate to any device page, the easiest place is from the device inventory. - -2. Select **Device Value** from three dots next to the actions bar at the top of the page. - ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) - -

    - -3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. -![Example of the device value flyout.](images/tvm-device-value-flyout.png) - - ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index ad687089f9..f388e2ec91 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -1,5 +1,5 @@ --- -title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center +title: Microsoft Secure Score for Devices description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls. keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh @@ -13,7 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- # Microsoft Secure Score for Devices @@ -98,13 +100,6 @@ Improve your security configuration by remediating issues from the security reco ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md new file mode 100644 index 0000000000..437ee5c49d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -0,0 +1,73 @@ +--- +title: Prerequisites & permissions - threat and vulnerability management +description: Before you begin using threat and vulnerability management, make sure you have the relevant configurations and permissions. +keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, MDATP TVM permissions prerequisites, vulnerability management +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Prerequisites & permissions - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Ensure that your devices: + +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Run [supported operating systems and platforms](tvm-supported-os.md) +- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: + +> Release | Security update KB number and link +> :---|:--- +> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) + +- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version. +- Have at least one security recommendation that can be viewed in the device page +- Are tagged or marked as co-managed + +## Relevant permission options + +1. Log in to Microsoft Defender Security Center using account with a Security administrator or Global administrator role assigned. +2. In the navigation pane, select **Settings > Roles**. + +For more information, see [Create and manage roles for role-based access control](user-roles.md) + +### View data + +- **Security operations** - View all security operations data in the portal +- **Threat and vulnerability management** - View threat and vulnerability management data in the portal + +### Active remediation actions + +- **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators +- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions +- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities + +For more information, see [RBAC permission options](user-roles.md#permission-options) + +## Related articles + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Supported operating systems and platforms](tvm-supported-os.md) +- [Assign device value](tvm-assign-device-value.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 3a45c885e5..441e815647 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,5 +1,5 @@ --- -title: Remediation activities and exceptions - threat and vulnerability management +title: Remediate vulnerabilities with threat and vulnerability management description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh @@ -13,36 +13,60 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- -# Remediation activities and exceptions - threat and vulnerability management +# Remediate vulnerabilities with threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +## Request remediation + +The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. + +### Enable Microsoft Intune connection + +To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. + +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + +### Remediation request steps + +1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). + +2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. + +3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. + +4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. + +5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. + +If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + >[!NOTE] ->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. +>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created. Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. -## Navigate to the Remediation page +## View your remediation activities -You can access the Remediation page a few different ways: +When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. -- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) -- Top remediation activities card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) +Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. +![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) -### Navigation menu - -Go to the threat and vulnerability management navigation menu and select **Remediation**. It will open the list of remediation activities and exceptions found in your organization. +>[!NOTE] +> There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion. ### Top remediation activities in the dashboard @@ -50,63 +74,8 @@ View **Top remediation activities** in the [threat and vulnerability management ![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) -## Remediation activities - -When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. - -Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. -![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) - -## Exceptions - -When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). - -The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. - -![Example of the exception page and filter options.](images/tvm-exception-filters.png) - -### Exception actions and statuses - -You can take the following actions on an exception: - -- Cancel - You can cancel the exceptions you've filed anytime -- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change. It adversely affects the exposure impact associated with a recommendation that had previously been excluded. - -The following statuses will be a part of an exception: - -- **Canceled** - The exception has been canceled and is no longer in effect -- **Expired** - The exception that you've filed is no longer in effect -- **In effect** - The exception that you've filed is in progress - -### Exception impact on scores - -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: - -- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. -- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. - -The exception impact shows on both the Security recommendations page column and in the flyout pane. - -![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) - -### View exceptions in other places - -Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. - -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) - -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Dashboard](tvm-dashboard-insights.md) +- [Security recommendations](tvm-security-recommendation.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index a64042be50..caf6675ddd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -13,17 +13,19 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- # Security recommendations - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -77,7 +79,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the ### Icons -Useful icons also quickly call your attention to: +Useful icons also quickly call your attention to: - ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights @@ -92,71 +94,20 @@ From the flyout, you can choose any of the following options: - **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. +- [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] >When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. -### Investigate changes in machine exposure or impact +### Investigate changes in device exposure or impact -If there is a large jump in the number of exposed machines, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. +If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating. 1. Select the recommendation and **Open software page** 2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) -3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request - -## Request remediation - -The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. - -### Enable Microsoft Intune connection - -To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. - -See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. - -### Remediation request steps - -1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. - -2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. - -3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. - -4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. - -If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. - ->[!NOTE] ->If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. - -## File for exception - -As an alternative to a remediation request, you can create exceptions for recommendations. - -There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. - -When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. - -1. Select a security recommendation you would like to create an exception for, and then **Exception options**. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) - -2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. - - The following list details the justifications behind the exception options: - - - **Third party control** - A third party product or software already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Alternate mitigation** - An internal tool already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive - - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization - -3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. - -4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat and vulnerability management** menu and select the **Exceptions** tab to view all your exceptions (current and past). +3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request. ## Report inaccuracy @@ -172,52 +123,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Find and remediate software or software versions which have reached end-of-support (EOS) - -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. - -It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. - -To find software or software versions that are no longer supported: - -1. From the threat and vulnerability management menu, navigate to **Security recommendations**. -2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) - -3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) - -### List of versions and dates - -To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: - -1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. - - ![Screenshot of version distribution link](images/eos-upcoming-eos.png) - -2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - - ![Screenshot of version distribution link](images/software-drilldown-eos.png) - -3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. - - ![Screenshot of version distribution link](images/version-eos-date.png) - -Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. - -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) +- [Remediate vulnerabilities](tvm-remediation.md) +- [Create and view exceptions for security recommendations](tvm-exception.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 215f2fc19c..064ca53844 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -13,20 +13,22 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- # Software inventory - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. +The software inventory in threat and vulnerability management is a list of all the software in your organization with known vulnerabilities. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works @@ -40,6 +42,9 @@ Access the Software inventory page by selecting **Software inventory** from the View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). +>[!NOTE] +>If you search for software using the Microsoft Defender ATP global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write "windows_10" instead of "Windows 10". + ## Software inventory overview The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. @@ -83,17 +88,9 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 0b2eca42e4..8802d9cf10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,7 +1,7 @@ --- title: Supported operating systems and platforms for threat and vulnerability management -description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for. -keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +description: Ensure that you meet the operating system or platform requisites for threat and vulnerability management, so the activities in your all devices are properly accounted for. +keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -13,7 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- # Supported operating systems and platforms - threat and vulnerability management @@ -24,6 +26,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -45,17 +48,7 @@ Windows Server 2019 | Operating System (OS) vulnerabilities
    Software product macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
    Software product vulnerabilities Linux | Not supported (planned) -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Prerequisites & permissions](tvm-prerequisites.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 4f2cc260b4..ae152f9f21 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,5 +1,5 @@ --- -title: Weaknesses found by threat and vulnerability management +title: Vulnerabilities in my organization - threat and vulnerability management description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh @@ -13,22 +13,24 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- -# Weaknesses found by threat and vulnerability management +# Vulnerabilities in my organization - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. +The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. >[!NOTE] >If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management. @@ -68,7 +70,7 @@ Remediate the vulnerabilities in exposed devices to reduce the risk to your asse ### Breach and threat insights -View related breach and threat insights in the **Threat** column when the icons are colored red. +View any related breach and threat insights in the **Threat** column when the icons are colored red. >[!NOTE] > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). @@ -76,13 +78,13 @@ View related breach and threat insights in the **Threat** column when the icons The breach insights icon is highlighted if there's a vulnerability found in your organization. ![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) -The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. +The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. ![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) ### Gain vulnerability insights -If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices. +If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details, threat insights, and exposed devices. The "OS Feature" category is shown in relevant scenarios. @@ -135,17 +137,9 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform 3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 2f6aaf198d..38c6bd4b37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -13,7 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md deleted file mode 100644 index 387aca9327..0000000000 --- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md +++ /dev/null @@ -1,254 +0,0 @@ ---- -title: WannaCrypt ransomware worm targets out-of-date systems -description: This is an early analysis of the WannaCrypt ransomware attack. Microsoft antimalware diagnostic data immediately picked up signs of this campaign in May 2017. -keywords: wannacry, wannacrypt, wanna, ransomware -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: medium -author: dulcemontemayor -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# WannaCrypt ransomware worm targets out-of-date systems - - -On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so. - -Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. - -In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response. - -## Attack vector - -Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx), which was released on March 14, 2017. - -WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available. - -The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. - -We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware: - -- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit -- Infection through SMB exploit when an unpatched computer is addressable from other infected machines - -## Dropper - -The threat arrives as a dropper Trojan that has the following two components: - -1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers -2. The ransomware known as WannaCrypt - -The dropper tries to connect the following domains using the API `InternetOpenUrlA()`: - -- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com -- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com - -If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. - -In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80. - -![Connection information from WannaCrypt code](images/wanna1.png) - -The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system: -``` -Service Name: mssecsvc2.0 -Service Description: (Microsoft Security Center (2.0) Service) -Service Parameters: '-m security' -``` - - ![Mssecsvc2.0 process details](images/wanna2.png) - -## WannaCrypt ransomware - -The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'. - -When run, WannaCrypt creates the following registry keys: - -- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\ = '\\tasksche.exe'* -- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\'* - -It changes the wallpaper to a ransom message by modifying the following registry key: - -- *HKCU\Control Panel\Desktop\Wallpaper: '\\\@WanaDecryptor@.bmp'* - -It creates the following files in the malware's working directory: - -- *00000000.eky* -- *00000000.pky* -- *00000000.res* -- *274901494632976.bat* -- @Please_Read_Me@.txt -- @WanaDecryptor@.bmp -- @WanaDecryptor@.exe -- *b.wnry* -- *c.wnry* -- *f.wnry* -- *m.vbs* -- *msg\m_bulgarian.wnry* -- *msg\m_chinese (simplified).wnry* -- *msg\m_chinese (traditional).wnry* -- *msg\m_croatian.wnry* -- *msg\m_czech.wnry* -- *msg\m_danish.wnry* -- *msg\m_dutch.wnry* -- *msg\m_english.wnry* -- *msg\m_filipino.wnry* -- *msg\m_finnish.wnry* -- *msg\m_french.wnry* -- *msg\m_german.wnry* -- *msg\m_greek.wnry* -- *msg\m_indonesian.wnry* -- *msg\m_italian.wnry* -- *msg\m_japanese.wnry* -- *msg\m_korean.wnry* -- *msg\m_latvian.wnry* -- *msg\m_norwegian.wnry* -- *msg\m_polish.wnry* -- *msg\m_portuguese.wnry* -- *msg\m_romanian.wnry* -- *msg\m_russian.wnry* -- *msg\m_slovak.wnry* -- *msg\m_spanish.wnry* -- *msg\m_swedish.wnry* -- *msg\m_turkish.wnry* -- *msg\m_vietnamese.wnry* -- *r.wnry* -- *s.wnry* -- *t.wnry* -- *TaskData\Tor\libeay32.dll* -- *TaskData\Tor\libevent-2-0-5.dll* -- *TaskData\Tor\libevent_core-2-0-5.dll* -- *TaskData\Tor\libevent_extra-2-0-5.dll* -- *TaskData\Tor\libgcc_s_sjlj-1.dll* -- *TaskData\Tor\libssp-0.dll* -- *TaskData\Tor\ssleay32.dll* -- *TaskData\Tor\taskhsvc.exe* -- *TaskData\Tor\tor.exe* -- *TaskData\Tor\zlib1.dll* -- *taskdl.exe* -- *taskse.exe* -- *u.wnry* - -WannaCrypt may also create the following files: - -- *%SystemRoot%\tasksche.exe* -- *%SystemDrive%\intel\\\\tasksche.exe* -- *%ProgramData%\\\\tasksche.exe* - -It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '\tasksche.exe'`. - -It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.* - -WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*. - -This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below). - -After completing the encryption process, the malware deletes the volume shadow copies by running the following command: -`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet` - -It then replaces the desktop background image with the following message: - -![Example background image of WannaCrypt](images/wanna3.png) - -It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer: - - ![Screenshot of WannaCrypt ransom notice](images/wanna4.png) - -The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese. - -The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files. - - ![Screenshot of decryption window](images/wanna5.png) - -## Spreading capability - -The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below. - -![Spreading scanning activity](images/wanna6.png) - -The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers. - -When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems. - - ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png) - - ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png) - -## Protection against the WannaCrypt attack - -To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. - -We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: - -- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/) -- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 - -[Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Microsoft Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. - -For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. - -Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware. - -Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/download/details.aspx?id=55090). - -## Resources - -Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu) - -Download localized language security updates: [Windows Server 2003 SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0) - -MS17-010 Security Update: [https://technet.microsoft.com/library/security/ms17-010.aspx](https://technet.microsoft.com/library/security/ms17-010.aspx) - -Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/) - -General information on ransomware: [https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx) - -## Indicators of compromise - -SHA1 of samples analyzed: - -- 51e4307093f8ca8854359c0ac882ddca427a813c -- e889544aff85ffaf8b0d0da705105dee7c97fe26 - -Files created: - -- %SystemRoot%\mssecsvc.exe -- %SystemRoot%\tasksche.exe -- %SystemRoot%\qeriuwjhrf -- b.wnry -- c.wnry -- f.wnry -- r.wnry -- s.wnry -- t.wnry -- u.wnry -- taskdl.exe -- taskse.exe -- 00000000.eky -- 00000000.res -- 00000000.pky -- @WanaDecryptor@.exe -- @Please_Read_Me@.txt -- m.vbs -- @WanaDecryptor@.exe.lnk -- @WanaDecryptor@.bmp -- 274901494632976.bat -- taskdl.exe -- Taskse.exe -- Files with '.wnry' extension -- Files with '.WNCRY' extension - -Registry keys created: - -- HKLM\SOFTWARE\WanaCrypt0r\wd - - - -*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*
    *Microsoft Malware Protection Center* - diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md index e5edff503e..34b7c1beb1 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.md +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -96,6 +96,7 @@ ## [Best practices]() +### [Configuring the firewall](best-practices-configuring.md) ### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md) ### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) ### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md new file mode 100644 index 0000000000..274baf82d2 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -0,0 +1,212 @@ +--- +title: Best practices for configuring Windows Defender Firewall +description: Learn about best practices for configuring Windows Defender Firewall + +keywords: firewall, best practices, security, network security, network, rules, filters, + +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: maccruz +author: schmurky +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article + +--- + +# Best practices for configuring Windows Defender Firewall + +**Applies to** + +- Windows operating systems including Windows 10 + +- Windows Server Operating Systems + +Windows Defender Firewall with Advanced Security provides host-based, two-way +network traffic filtering and blocks unauthorized network traffic flowing into +or out of the local device. Configuring your Windows Firewall based on the +following best practices can help you optimize protection for devices in your +network. These recommendations cover a wide range of deployments including home +networks and enterprise desktop/server systems. + +To open Windows Firewall, go to the **Start** menu, select **Run**, +type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security). + +## Keep default settings + +When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. + +![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) + +*Figure 1: Windows Defender Firewall* + +1. **Domain profile**: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC + +2. **Private profile**: Designed for and best used + in private networks such as a home network + +3. **Public profile**: Designed with higher security in mind + for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores + +View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**. + +Maintain the default settings in Windows Defender +Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. + +![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) + +*Figure 2: Default inbound/outbound settings* + +> [!IMPORTANT] +> To maintain maximum security, do not change the default Block setting for inbound connections. + +For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior) and [Checklist: Configuring Basic Firewall Settings](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings). + +## Understand rule precedence for inbound rules + +In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic. + +This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: + +![Rule creation wizard](images/fw02-createrule.png) + +*Figure 3: Rule Creation Wizard* + +> [!NOTE] +>This article does not cover step-by-step rule +configuration. See the [Windows Firewall with Advanced Security Deployment +Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) +for general guidance on policy creation. + +In many cases, allowing specific types of inbound traffic will be required for +applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when +allowing these inbound exceptions. + +1. Explicitly defined allow rules will take precedence over the default block setting. + +2. Explicit block rules will take precedence over any conflicting allow rules. + +3. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) + +Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. + +A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. + +> [!NOTE] +> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. + +## Create rules for new applications before first launch + +### Inbound allow rules + +When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. + +If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. + +- If the user has admin permissions, they will be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic. + +- If the user is not a local admin, they will not be prompted. In most cases, block rules will be created. + +In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked. + +> [!NOTE] +> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. + + +### Known issues with automatic rule creation + +When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. + +The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction. + +To determine why some applications are blocked from communicating in the network, check for the following: + +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. + +2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. + +3. Local Policy Merge is disabled, preventing the application or network service from creating local rules. + +![Windows Firewall prompt](images/fw04-userquery.png) + +*Figure 4: Dialog box to allow access* + +See also [Checklist: Creating Inbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules). + +## Establish local policy merge and application rules + +Firewall rules can be deployed: +1. Locally using the Firewall snap-in (**WF.msc**) +2. Locally using PowerShell +3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join) + +Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. + +The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. + +![Customize settings](images/fw05-rulemerge.png) + +*Figure 5: Rule merging setting* + +> [!TIP] +> In the firewall [configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp), the +equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. + +If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity. + +Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device +Management (MDM), or both (for hybrid or co-management environments). + +[Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp) and [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging. + +As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. + +In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. + + + +> [!NOTE] +> The use of wildcard patterns, such as *C:\*\\teams.exe* is not +supported in application rules. We currently only support rules created using the full path to the application(s). + +## Know how to use "shields up" mode for active attacks + +An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. + +Shields up can be achieved by checking **Block all +incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. + +![Incoming connections](images/fw06-block.png) + +*Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* + +![Firewall cpl](images/fw07-legacy.png) + +*Figure 7: Legacy firewall.cpl* + +By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions. + +For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated. + +Once the emergency is over, uncheck the setting to restore regular network traffic. + +## Create outbound rules + +What follows are a few general guidelines for configuring outbound rules. + +- The default configuration of Blocked for Outbound rules can be + considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default. + +- It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. + +- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). + +For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules). + +## Document your changes + +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. diff --git a/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png new file mode 100644 index 0000000000..c1aa416fdf Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png new file mode 100644 index 0000000000..5c8f858f52 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png new file mode 100644 index 0000000000..cfc1daea37 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png new file mode 100644 index 0000000000..85f7485479 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png new file mode 100644 index 0000000000..74c49fab7b Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw06-block.png b/windows/security/threat-protection/windows-firewall/images/fw06-block.png new file mode 100644 index 0000000000..2909fa51d3 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw06-block.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png new file mode 100644 index 0000000000..a8d15e6e31 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png differ diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 6071427eda..00bdfd5630 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -10,7 +10,9 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365-initiative-windows-security ms.topic: troubleshooting --- diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 6f809cdf89..7f2d33540e 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -27,7 +27,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## Learn more -- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) +- [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) - [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004) - [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history) - [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new)