deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into privacy-update-vb

Browse Source
This commit is contained in:
Daniel H. Brown 2023-09-26 08:17:20 -07:00
commit a4e01b9ca2
170 changed files with 4457 additions and 3116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
.openpublishing.redirection.windows-security.json
View File

@ -7335,6 +7335,41 @@
"redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard.md",
"redirect_url": "/windows/security/identity-protection/credential-guard",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-considerations.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-known-issues.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-manage.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-requirements.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/index",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",

48
education/includes/education-content-updates.md
View File

@ -2,54 +2,20 @@
## Week of July 31, 2023
## Week of September 11, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
## Week of July 24, 2023
## Week of September 04, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 7/24/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 7/25/2023 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
| 7/25/2023 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
## Week of July 10, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 7/14/2023 | [Microsoft 365 Education Documentation](/education/index) | modified |
| 7/14/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 7/14/2023 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 7/14/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | modified |
| 7/14/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 7/14/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
| 7/14/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
| 7/14/2023 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
| 7/14/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | added |
| 7/14/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
| 7/14/2023 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
| 7/14/2023 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
| 7/14/2023 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
| 7/14/2023 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
| 7/14/2023 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
| 7/14/2023 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
| 7/14/2023 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
| 7/14/2023 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
| 7/14/2023 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
| 7/14/2023 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
| 9/5/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |

2
education/windows/change-home-to-edu.md
View File

@ -1,7 +1,7 @@
---
title: Upgrade Windows Home to Windows Education on student-owned devices
description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions.
ms.date: 08/10/2022
ms.date: 08/07/2023
ms.topic: how-to
author: scottbreenmsft
ms.author: scbree

4
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 04/04/2023
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
---
@ -41,7 +41,7 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
1. On the **Service provider detail*s** page
1. On the **Service provider detail's** page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\

6
education/windows/edu-stickers.md
View File

@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
> [!TIP]
> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>

6
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps:
### Configure Take a Test with a custom policy
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Setting |
|--------|
@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps:
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)

29
education/windows/edu-themes.md
View File

@ -1,7 +1,7 @@
---
title: Configure education themes for Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 09/15/2022
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -12,25 +12,30 @@ appliesto:
Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Screenshot of Windows 11 desktop with 3 stickers" border="true":::
Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it.
## Enable education themes
Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
Education themes aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Enable Edu Themes | Enabled |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`<br>**Data type**: int<br>**Value**: `1`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -46,15 +51,15 @@ Follow the steps in [Apply a provisioning package][WIN-2] to apply the package t
## How to use the education themes
Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
Once the education themes are enabled, the device downloads them as soon as a user signs in to the device.
To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Screenshot of Windows 11 education themes selection" border="true":::
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[INT-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

84
education/windows/federated-sign-in.md
View File

@ -1,13 +1,12 @@
---
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 05/01/2023
description: Learn about federated sign-in in Windows how to configure it.
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- tier1
- education
---
@ -77,21 +76,25 @@ To use web sign-in with a federated identity provider, your devices must be conf
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Is Education Environment | Enabled |
| Federated Authentication | Enable Web Sign In For Primary User | Enabled |
| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** <br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -99,12 +102,12 @@ To configure federated sign-in using a provisioning package, use the following s
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
| **Path**: `Education/IsEducationEnvironment` <br>**Value**: Enabled|
| **Path**: `FederatedAuthentication/EnableWebSignInForPrimaryUser` <br>**Value**: Enabled|
| **Path**: `Policies/Authentication/ConfigureWebSignInAllowedUrls` <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **Path**: `Policies/Authentication/ConfigureWebCamAccessDomainNames` <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
Apply the provisioning package to the single-user devices that require federated sign-in.
@ -119,20 +122,27 @@ To use web sign-in with a federated identity provider, your devices must be conf
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Is Education Environment | Enabled |
| SharedPC | Enable Shared PC Mode With OneDrive Sync | True |
| Authentication | Enable Web Sign In | Enabled |
| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`<br>**Data type**: Boolean<br>**Value**: True|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`<br>**Data type**: Integer<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`<br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -140,11 +150,11 @@ To configure federated sign-in using a provisioning package, use the following s
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Value: **True**</li>|
| <li> Path: **`Policies/Authentication/EnableWebSignIn`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
| <li> Path: **`Education/IsEducationEnvironment`**<br>Value: **Enabled**|
| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`**<br>Value: **True**|
| <li> Path: **`Policies/Authentication/EnableWebSignIn`**<br>Value: **Enabled**|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
Apply the provisioning package to the shared devices that require federated sign-in.
@ -159,7 +169,7 @@ Once the devices are configured, a new sign-in experience becomes available.
As users enter their username, they're redirected to the identity provider sign-in page. Once the Idp authenticates the users, they're signed-in. In the following animation, you can observe how the first sign-in process works for a student assigned (1:1) device:
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
> [!IMPORTANT]
> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
@ -203,7 +213,7 @@ After the token sent by the IdP is validated, Azure AD searches for a matching u
If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
> [!IMPORTANT]
> The ImmutableId matching is case-sensitive.
@ -245,7 +255,7 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
[GRAPH-1]: /graph/api/user-post-users?tabs=powershell
[EXT-1]: https://support.clever.com/hc/s/articles/000001546
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[INT-1]: /mem/intune/configuration/custom-settings-windows-10
[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843

3
education/windows/get-minecraft-for-education.md
View File

@ -2,9 +2,8 @@
title: Get and deploy Minecraft Education
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
ms.date: 02/23/2023
ms.date: 09/11/2023
ms.collection:
- highpri
- education
- tier2
---

BIN
education/windows/images/federated-sign-in-settings-intune.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 102 KiB

13
education/windows/includes/intune-custom-settings-1.md
View File

@ -1,13 +0,0 @@
---
ms.date: 02/22/2022
ms.topic: include
---
To configure devices with Microsoft Intune, use a custom policy:
1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
5. Specify a **Name** and, optionally, a **Description > Next**
6. Add the following settings:

9
education/windows/includes/intune-custom-settings-2.md
View File

@ -1,9 +0,0 @@
---
ms.date: 11/08/2022
ms.topic: include
---
7. Select **Next**
8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
9. Under **Applicability Rules**, select **Next**
10. Review the policy configuration and select **Create**

6
education/windows/includes/intune-custom-settings-info.md
View File

@ -1,6 +0,0 @@
---
ms.date: 11/08/2022
ms.topic: include
---
For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

246
education/windows/index.yml
View File

@ -1,95 +1,181 @@
### YamlMime:Landing
### YamlMime:Hub
title: Windows for Education documentation
summary: Evaluate, plan, deploy, and manage Windows devices in an education environment
summary: Learn how to deploy, secure, and manage Windows clients in an education environment.
brand: windows
metadata:
title: Windows for Education documentation
description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
ms.topic: landing-page
ms.topic: hub-page
ms.prod: windows-client
ms.technology: itpro-edu
ms.collection:
- education
- highpri
- tier1
- education
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
ms.date: 03/09/2023
manager: aaroncz
ms.date: 07/28/2023
landingContent:
highlightedContent:
items:
- title: Get started with Windows 11
itemType: get-started
url: /windows/whats-new/windows-11-overview
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- title: Windows 11, version 22H2 group policy settings reference
itemType: download
url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- title: Windows release health
itemType: whats-new
url: /windows/release-health
- title: Windows commercial licensing
itemType: overview
url: /windows/whats-new/windows-licensing
- title: Windows 365 documentation
itemType: overview
url: /windows-365
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- title: Enroll Windows client devices in Microsoft Intune
itemType: how-to-guide
url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
- title: Get started
linkLists:
- linkListType: tutorial
links:
- text: Deploy and manage Windows devices in a school
url: tutorial-school-deployment/index.md
- text: Prepare your tenant
url: tutorial-school-deployment/set-up-azure-ad.md
- text: Configure settings and applications with Microsoft Intune
url: tutorial-school-deployment/configure-devices-overview.md
- text: Manage devices with Microsoft Intune
url: tutorial-school-deployment/manage-overview.md
- text: Management functionalities for Surface devices
url: tutorial-school-deployment/manage-surface-devices.md
productDirectory:
title: Get started
items:
- title: Learn about Windows 11 SE
linkLists:
- linkListType: concept
links:
- text: What is Windows 11 SE?
url: windows-11-se-overview.md
- text: Windows 11 SE settings
url: windows-11-se-settings-list.md
- linkListType: whats-new
links:
- text: Configure federated sign-in
url: federated-sign-in.md
- text: Configure education themes
url: edu-themes.md
- text: Configure Stickers
url: edu-stickers.md
- linkListType: video
links:
- text: Deploy Windows 11 SE using Set up School PCs
url: https://www.youtube.com/watch?v=Ql2fbiOop7c
- title: Hardware security
imageSrc: /media/common/i_usb.svg
links:
- url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
text: Trusted Platform Module
- url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
text: Microsoft Pluton
- url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
text: Windows Defender System Guard
- url: /windows-hardware/design/device-experiences/oem-vbs
text: Virtualization-based security (VBS)
- url: /windows-hardware/design/device-experiences/oem-highly-secure-11
text: Secured-core PC
- url: /windows/security/hardware-security
text: Learn more about hardware security >
- title: Deploy devices with Set up School PCs
linkLists:
- linkListType: concept
links:
- text: What is Set up School PCs?
url: set-up-school-pcs-technical.md
- linkListType: how-to-guide
links:
- text: Use the Set up School PCs app
url: use-set-up-school-pcs-app.md
- linkListType: reference
links:
- text: Provisioning package settings
url: set-up-school-pcs-provisioning-package.md
- linkListType: video
links:
- text: Use the Set up School PCs App
url: https://www.youtube.com/watch?v=2ZLup_-PhkA
- title: OS security
imageSrc: /media/common/i_threat-protection.svg
links:
- url: /windows/security/operating-system-security
text: Trusted boot
- url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
text: Windows security settings
- url: /windows/security/operating-system-security/data-protection/bitlocker/
text: BitLocker
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
text: MMicrosoft Defender SmartScreen
- url: /windows/security/operating-system-security
text: Learn more about OS security >
- title: Configure devices
linkLists:
- linkListType: concept
links:
- text: Take tests and assessments in Windows
url: take-tests-in-windows.md
- text: Considerations for shared and guest devices
url: /windows/configuration/shared-devices-concepts?context=/education/context/context
- text: Change Windows editions
url: change-home-to-edu.md
- linkListType: how-to-guide
links:
- text: Configure Take a Test in kiosk mode
url: edu-take-a-test-kiosk-mode.md
- text: Configure Shared PC
url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
- text: Get and deploy Minecraft Education
url: get-minecraft-for-education.md
- title: Identity protection
imageSrc: /media/common/i_identity-protection.svg
links:
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- url: /windows/security/identity-protection/credential-guard
text: Credential Guard
- url: /windows-server/identity/laps/laps-overview
text: Windows LAPS (Local Administrator Password Solution)
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
text: Enhanced phishing protection with SmartScreen
- url: /education/windows/federated-sign-in
text: Federated sign-in (EDU)
- url: /windows/security/identity-protection
text: Learn more about identity protection >
- title: Application security
imageSrc: /media/common/i_queries.svg
links:
- url: /windows/security/application-security/application-control/windows-defender-application-control/
text: Windows Defender Application Control (WDAC)
- url: /windows/security/application-security/application-control/user-account-control
text: User Account Control (UAC)
- url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
text: Microsoft vulnerable driver blocklist
- url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
text: Microsoft Defender Application Guard (MDAG)
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
text: Windows Sandbox
- url: /windows/security/application-security
text: Learn more about application security >
- title: Security foundations
imageSrc: /media/common/i_build.svg
links:
- url: /windows/security/security-foundations/certification/fips-140-validation
text: FIPS 140-2 validation
- url: /windows/security/security-foundations/certification/windows-platform-common-criteria
text: Common Criteria Certifications
- url: /windows/security/security-foundations/msft-security-dev-lifecycle
text: Microsoft Security Development Lifecycle (SDL)
- url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
text: Microsoft Windows Insider Preview bounty program
- url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
text: OneFuzz service
- url: /windows/security/security-foundations
text: Learn more about security foundations >
- title: Cloud security
imageSrc: /media/common/i_cloud-security.svg
links:
- url: /mem/intune/protect/security-baselines
text: Security baselines with Intune
- url: /windows/deployment/windows-autopatch
text: Windows Autopatch
- url: /windows/deployment/windows-autopilot
text: Windows Autopilot
- url: /universal-print
text: Universal Print
- url: /windows/client-management/mdm/remotewipe-csp
text: Remote wipe
- url: /windows/security/cloud-security
text: Learn more about cloud security >
additionalContent:
sections:
- title: More Windows resources
items:
- title: Windows Server
links:
- text: Windows Server documentation
url: /windows-server
- text: What's new in Windows Server 2022?
url: /windows-server/get-started/whats-new-in-windows-server-2022
- text: Windows Server blog
url: https://cloudblogs.microsoft.com/windowsserver/
- title: Windows product site and blogs
links:
- text: Find out how Windows enables your business to do more
url: https://www.microsoft.com/microsoft-365/windows
- text: Windows blogs
url: https://blogs.windows.com/
- text: Windows IT Pro blog
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
- text: Microsoft Intune blog
url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
- text: "Windows help & learning: end-user documentation"
url: https://support.microsoft.com/windows
- title: Participate in the community
links:
- text: Windows community
url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
url: https://answers.microsoft.com/windows/forum

11
education/windows/windows-11-se-overview.md
View File

@ -89,7 +89,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` |
| `Cisco Umbrella` | 3.0.343.0 | `Win32` | `Cisco` |
| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
@ -107,7 +107,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` |
| `Epson iProjection` | 3.31 | `Win32` | `Epson` |
| `eTests` | 4.0.25 | `Win32` | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` |
| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
@ -135,8 +135,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` |
| `NAPLAN` | 5.2.2 | `Win32` | `NAP` |
| `Netref Student` | 23.1.0 | `Win32` | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` |
| `NetSupport DNA` | 4.80.0000 | `Win32` | `NetSupport` |
| `NetSupport Manager` | 14.00.0012 | `Win32` | `NetSupport` |
| `NetSupport Notify` | 5.10.1.223 | `Win32` | `NetSupport` |
| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` |
@ -148,7 +149,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` |
| `Remote Desktop client (MSRDC)` | 1.2.4240.0 | `Win32` | `Microsoft` |
| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |

2
includes/configure/gpo-settings-1.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under
To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings:

2
includes/configure/intune-settings-catalog-1.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings:
To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:

13
includes/intune/intune-custom-settings-1.md
View File

@ -1,13 +0,0 @@
---
ms.date: 02/22/2022
ms.topic: include
---
To configure devices with Microsoft Intune, use a custom policy:
1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
5. Specify a **Name** and, optionally, a **Description > Next**
6. Add the following settings:

9
includes/intune/intune-custom-settings-2.md
View File

@ -1,9 +0,0 @@
---
ms.date: 11/08/2022
ms.topic: include
---
7. Select **Next**
8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
9. Under **Applicability Rules**, select **Next**
10. Review the policy configuration and select **Create**

6
includes/intune/intune-custom-settings-info.md
View File

@ -1,6 +0,0 @@
---
ms.date: 11/08/2022
ms.topic: include
---
For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

4
includes/licensing/_edition-requirements.md
View File

@ -21,6 +21,7 @@ ms.topic: include
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
@ -53,6 +54,7 @@ ms.topic: include
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
@ -75,8 +77,6 @@ ms.topic: include
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|

4
includes/licensing/_licensing-requirements.md
View File

@ -21,6 +21,7 @@ ms.topic: include
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
@ -53,6 +54,7 @@ ms.topic: include
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
@ -75,8 +77,6 @@ ms.topic: include
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|

4
includes/licensing/windows-defender-credential-guard.md → includes/licensing/credential-guard.md
View File

@ -7,13 +7,13 @@ ms.topic: include
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Credential Guard:
The following table lists the Windows editions that support Credential Guard:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|No|Yes|No|Yes|
Windows Defender Credential Guard license entitlements are granted by the following licenses:
Credential Guard license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

4
includes/licensing/windows-defender-remote-credential-guard.md → includes/licensing/remote-credential-guard.md
View File

@ -7,13 +7,13 @@ ms.topic: include
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Remote Credential Guard:
The following table lists the Windows editions that support Remote Credential Guard:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Defender Remote Credential Guard license entitlements are granted by the following licenses:
Remote Credential Guard license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

315
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -1,81 +1,304 @@
---
title: AccountManagement CSP
description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
description: Learn more about the AccountManagement CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: reference
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 03/23/2018
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- AccountManagement-Begin -->
# AccountManagement CSP
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
<!-- AccountManagement-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition.
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
<!-- AccountManagement-Editable-End -->
The following syntax shows the AccountManagement configuration service provider in tree format.
<!-- AccountManagement-Tree-Begin -->
The following list shows the AccountManagement configuration service provider nodes:
```console
./Vendor/MSFT
AccountManagement
----UserProfileManagement
--------EnableProfileManager
--------DeletionPolicy
--------StorageCapacityStartDeletion
--------StorageCapacityStopDeletion
--------ProfileInactivityThreshold
- ./Device/Vendor/MSFT/AccountManagement
- [UserProfileManagement](#userprofilemanagement)
- [DeletionPolicy](#userprofilemanagementdeletionpolicy)
- [EnableProfileManager](#userprofilemanagementenableprofilemanager)
- [ProfileInactivityThreshold](#userprofilemanagementprofileinactivitythreshold)
- [StorageCapacityStartDeletion](#userprofilemanagementstoragecapacitystartdeletion)
- [StorageCapacityStopDeletion](#userprofilemanagementstoragecapacitystopdeletion)
<!-- AccountManagement-Tree-End -->
<!-- Device-UserProfileManagement-Begin -->
## UserProfileManagement
<!-- Device-UserProfileManagement-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-Applicability-End -->
<!-- Device-UserProfileManagement-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement
```
<!-- Device-UserProfileManagement-OmaUri-End -->
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.
<!-- Device-UserProfileManagement-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-UserProfileManagement-Description-End -->
<a href="" id="accountmanagement-userprofilemanagemen-enableprofilemanager"></a>**UserProfileManagement**
Interior node.
<!-- Device-UserProfileManagement-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-Editable-End -->
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
<!-- Device-UserProfileManagement-DFProperties-Begin -->
**Description framework properties**:
Supported operations are Add, Get, Replace, and Delete.
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-UserProfileManagement-DFProperties-End -->
Value type is bool.
<!-- Device-UserProfileManagement-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-Examples-End -->
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
<!-- Device-UserProfileManagement-End -->
Valid values:
<!-- Device-UserProfileManagement-DeletionPolicy-Begin -->
### UserProfileManagement/DeletionPolicy
- 0 - delete immediately when the device returns to a state with no currently active users
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
<!-- Device-UserProfileManagement-DeletionPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-DeletionPolicy-Applicability-End -->
Supported operations are Add, Get, Replace, and Delete.
<!-- Device-UserProfileManagement-DeletionPolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/DeletionPolicy
```
<!-- Device-UserProfileManagement-DeletionPolicy-OmaUri-End -->
Value type is integer.
<!-- Device-UserProfileManagement-DeletionPolicy-Description-Begin -->
<!-- Description-Source-DDF -->
Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).
<!-- Device-UserProfileManagement-DeletionPolicy-Description-End -->
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
<!-- Device-UserProfileManagement-DeletionPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-DeletionPolicy-Editable-End -->
Supported operations are Add, Get, Replace, and Delete.
<!-- Device-UserProfileManagement-DeletionPolicy-DFProperties-Begin -->
**Description framework properties**:
Value type is integer.
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- Device-UserProfileManagement-DeletionPolicy-DFProperties-End -->
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
<!-- Device-UserProfileManagement-DeletionPolicy-AllowedValues-Begin -->
**Allowed values**:
Supported operations are Add, Get, Replace, and Delete.
| Value | Description |
|:--|:--|
| 0 | Delete immediately upon device returning to a state with no currently active users). |
| 1 (Default) | Delete at storage capacity threshold. |
| 2 | Delete at both storage capacity threshold and profile inactivity threshold. |
<!-- Device-UserProfileManagement-DeletionPolicy-AllowedValues-End -->
Value type is integer.
<!-- Device-UserProfileManagement-DeletionPolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-DeletionPolicy-Examples-End -->
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
<!-- Device-UserProfileManagement-DeletionPolicy-End -->
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<!-- Device-UserProfileManagement-EnableProfileManager-Begin -->
### UserProfileManagement/EnableProfileManager
## Related topics
<!-- Device-UserProfileManagement-EnableProfileManager-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-EnableProfileManager-Applicability-End -->
[Configuration service provider reference](index.yml)
<!-- Device-UserProfileManagement-EnableProfileManager-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/EnableProfileManager
```
<!-- Device-UserProfileManagement-EnableProfileManager-OmaUri-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-Description-Begin -->
<!-- Description-Source-DDF -->
Enable profile lifetime mangement for shared or communal device scenarios.
<!-- Device-UserProfileManagement-EnableProfileManager-Description-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-EnableProfileManager-Editable-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
<!-- Device-UserProfileManagement-EnableProfileManager-DFProperties-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | False. |
| true | True. |
<!-- Device-UserProfileManagement-EnableProfileManager-AllowedValues-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-EnableProfileManager-Examples-End -->
<!-- Device-UserProfileManagement-EnableProfileManager-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Begin -->
### UserProfileManagement/ProfileInactivityThreshold
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Applicability-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/ProfileInactivityThreshold
```
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-OmaUri-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Description-Begin -->
<!-- Description-Source-DDF -->
Start deleting profiles when they haven't been logged-on during the specified period, given as number of days.
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Description-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Editable-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 30 |
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-DFProperties-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Examples-End -->
<!-- Device-UserProfileManagement-ProfileInactivityThreshold-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Begin -->
### UserProfileManagement/StorageCapacityStartDeletion
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Applicability-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/StorageCapacityStartDeletion
```
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-OmaUri-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Description-Begin -->
<!-- Description-Source-DDF -->
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Description-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Editable-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 25 |
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-DFProperties-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Examples-End -->
<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Begin -->
### UserProfileManagement/StorageCapacityStopDeletion
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Applicability-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/StorageCapacityStopDeletion
```
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-OmaUri-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Description-Begin -->
<!-- Description-Source-DDF -->
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Description-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Editable-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 50 |
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-DFProperties-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Examples-End -->
<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-End -->
<!-- AccountManagement-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- AccountManagement-CspMoreInfo-End -->
<!-- AccountManagement-End -->
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

369
windows/client-management/mdm/accountmanagement-ddf.md
View File

@ -1,203 +1,232 @@
---
title: AccountManagement DDF file
description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
description: View the XML file containing the device description framework (DDF) for the AccountManagement configuration service provider.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: reference
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 03/23/2018
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
# AccountManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
The following XML file contains the device description framework (DDF) for the AccountManagement configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>AccountManagement</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.19041</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x88;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>UserProfileManagement</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>AccountManagement</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<NodeName>EnableProfileManager</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<DFFormat>
<node />
<bool />
</DFFormat>
<Occurrence>
<One />
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
<Dynamic />
</Scope>
<DFTitle>Enable profile manager</DFTitle>
<DFType>
<MIME>com.microsoft/1.0/MDM/AccountManagement</MIME>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>False</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>True</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DeletionPolicy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile deletion policy</DFTitle>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Delete immediately upon device returning to a state with no currently active users)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Delete at storage capacity threshold</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Delete at both storage capacity threshold and profile inactivity threshold</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>StorageCapacityStartDeletion</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
<Node>
<NodeName>UserProfileManagement</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EnableProfileManager</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable profile manager</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeletionPolicy</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile deletion policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>StorageCapacityStartDeletion</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>StorageCapacityStopDeletion</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>50</DefaultValue>
<Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProfileInactivityThreshold</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>30</DefaultValue>
<Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile inactive threshold</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>StorageCapacityStopDeletion</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>50</DefaultValue>
<Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProfileInactivityThreshold</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>30</DefaultValue>
<Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile inactive threshold</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
## Related articles
[AccountManagement configuration service provider](accountmanagement-csp.md)
[AccountManagement configuration service provider reference](accountmanagement-csp.md)

4
windows/client-management/mdm/bitlocker-csp.md
View File

@ -1406,7 +1406,9 @@ This value represents a bitmask with each bit and the corresponding error code d
| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
| 14 |The TPM isn't ready for BitLocker.|
| 15 |The network isn't available, which is required for recovery key backup. |
| 16-31 |For future use.|
| 16 |The encryption type of the OS volume for full disk versus used space only encryption doesn't match the BitLocker policy.|
| 17 |The encryption type of the fixed drive for full disk versus used space only encryption doesn't match the BitLocker policy.|
| 18-31 |For future use.|
<!-- Device-Status-DeviceEncryptionStatus-Editable-End -->
<!-- Device-Status-DeviceEncryptionStatus-DFProperties-Begin -->

6
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/25/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -60,7 +60,7 @@ The following XML file contains the device description framework (DDF) for the C
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
<Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling Boot to Cloud Shared PC feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
<DFFormat>
<bool />
</DFFormat>

79
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -57,6 +57,7 @@ The following list shows the Defender configuration service provider nodes:
- [DisableInboundConnectionFiltering](#configurationdisableinboundconnectionfiltering)
- [DisableLocalAdminMerge](#configurationdisablelocaladminmerge)
- [DisableNetworkProtectionPerfTelemetry](#configurationdisablenetworkprotectionperftelemetry)
- [DisableQuicParsing](#configurationdisablequicparsing)
- [DisableRdpParsing](#configurationdisablerdpparsing)
- [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing)
@ -492,7 +493,7 @@ Define the retention period in days of how much time the evidence data will be k
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-Begin -->
<!-- Description-Source-DDF -->
Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum. The valid interval is [5-5000] MB. By default, the maximum quota will be 500 MB.
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-Begin -->
@ -504,8 +505,10 @@ Defines the maximum data duplication quota in MB that can be collected. When the
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[5-5000]` |
| Default Value | 500 |
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-Begin -->
@ -570,7 +573,7 @@ Define data duplication remote location for device control.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@ -584,7 +587,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0,7-60]` |
| Allowed Values | Range: `[7-60]` |
| Default Value | 25 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
@ -989,10 +992,20 @@ Defines whether the cache maintenance idle task will perform the cache maintenan
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-End -->
<!-- Device-Configuration-DisableCacheMaintenance-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Cache maintenance is disabled. |
| 0 (Default) | Cache maintenance is enabled (default). |
<!-- Device-Configuration-DisableCacheMaintenance-AllowedValues-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-End -->
@ -1489,6 +1502,55 @@ This setting disables the gathering and send of performance telemetry from Netwo
<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-End -->
<!-- Device-Configuration-DisableQuicParsing-Begin -->
### Configuration/DisableQuicParsing
<!-- Device-Configuration-DisableQuicParsing-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DisableQuicParsing-Applicability-End -->
<!-- Device-Configuration-DisableQuicParsing-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableQuicParsing
```
<!-- Device-Configuration-DisableQuicParsing-OmaUri-End -->
<!-- Device-Configuration-DisableQuicParsing-Description-Begin -->
<!-- Description-Source-DDF -->
This setting disables QUIC Parsing for Network Protection.
<!-- Device-Configuration-DisableQuicParsing-Description-End -->
<!-- Device-Configuration-DisableQuicParsing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableQuicParsing-Editable-End -->
<!-- Device-Configuration-DisableQuicParsing-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-DisableQuicParsing-DFProperties-End -->
<!-- Device-Configuration-DisableQuicParsing-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | QUIC parsing is disabled. |
| 0 (Default) | QUIC parsing is enabled. |
<!-- Device-Configuration-DisableQuicParsing-AllowedValues-End -->
<!-- Device-Configuration-DisableQuicParsing-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableQuicParsing-Examples-End -->
<!-- Device-Configuration-DisableQuicParsing-End -->
<!-- Device-Configuration-DisableRdpParsing-Begin -->
### Configuration/DisableRdpParsing
@ -1916,6 +1978,7 @@ Allows an administrator to explicitly disable network packet inspection made by
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
@ -2203,7 +2266,7 @@ Setting to control automatic remediation for Sense scans.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Default Value | 0x0 |
<!-- Device-Configuration-PassiveRemediation-DFProperties-End -->
<!-- Device-Configuration-PassiveRemediation-AllowedValues-Begin -->
@ -2211,6 +2274,7 @@ Setting to control automatic remediation for Sense scans.
| Flag | Description |
|:--|:--|
| 0x0 (Default) | Passive Remediation is turned off (default). |
| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation. |
| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit. |
| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation. |
@ -2494,6 +2558,7 @@ Defines what are the devices primary ids that should be secured by Defender Devi
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->

74
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/02/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1060,6 +1060,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -2194,7 +2195,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.</Description>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
<DFFormat>
<int />
</DFFormat>
@ -2212,7 +2213,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0,7-60]</MSFT:Value>
<MSFT:Value>[7-60]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -2333,6 +2334,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -2345,9 +2347,10 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.</Description>
<DefaultValue>500</DefaultValue>
<Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum. The valid interval is [5-5000] MB. By default, the maximum quota will be 500 MB.</Description>
<DFFormat>
<chr />
<int />
</DFFormat>
<Occurrence>
<One />
@ -2362,7 +2365,8 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[5-5000]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -2487,7 +2491,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DefaultValue>0x0</DefaultValue>
<Description>Setting to control automatic remediation for Sense scans.</Description>
<DFFormat>
<int />
@ -2506,6 +2510,10 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x0</MSFT:Value>
<MSFT:ValueDescription>Passive Remediation is turned off (default)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>
<MSFT:ValueDescription>PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation</MSFT:ValueDescription>
@ -2603,6 +2611,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableQuicParsing</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting disables QUIC Parsing for Network Protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>QUIC parsing is disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>QUIC parsing is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSwitchToAsyncInspection</NodeName>
<DFProperties>
@ -2729,9 +2776,10 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Defines whether the cache maintenance idle task will perform the cache maintenance or not.</Description>
<DFFormat>
<chr />
<int />
</DFFormat>
<Occurrence>
<One />
@ -2746,7 +2794,15 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Cache maintenance is disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Cache maintenance is enabled (default)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>

38
windows/client-management/mdm/euiccs-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the eUICCs CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -108,7 +108,7 @@ Represents information associated with an eUICC. There is one subtree for each k
<!-- Device-{eUICC}-Actions-Description-Begin -->
<!-- Description-Source-DDF -->
Actions that can be performed on the eUICC as a whole (when it's active).
Actions that can be performed on the eUICC as a whole.
<!-- Device-{eUICC}-Actions-Description-End -->
<!-- Device-{eUICC}-Actions-Editable-Begin -->
@ -147,7 +147,7 @@ Actions that can be performed on the eUICC as a whole (when it's active).
<!-- Device-{eUICC}-Actions-ResetToFactoryState-Description-Begin -->
<!-- Description-Source-DDF -->
An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
This triggers an eUICC Memory Reset, which erases all the eSIM profiles in the eUICC.
<!-- Device-{eUICC}-Actions-ResetToFactoryState-Description-End -->
<!-- Device-{eUICC}-Actions-ResetToFactoryState-Editable-Begin -->
@ -226,7 +226,7 @@ Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE
<!-- Device-{eUICC}-DownloadServers-Description-Begin -->
<!-- Description-Source-DDF -->
Represents default SM-DP+ discovery requests.
Represents servers used for bulk provisioning and eSIM discovery.
<!-- Device-{eUICC}-DownloadServers-Description-End -->
<!-- Device-{eUICC}-DownloadServers-Editable-Begin -->
@ -265,7 +265,7 @@ Represents default SM-DP+ discovery requests.
<!-- Device-{eUICC}-DownloadServers-{ServerName}-Description-Begin -->
<!-- Description-Source-DDF -->
Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
Node representing a bulk download/discovery server. The node name is the fully qualified domain name of the server that will be used. Creation of this subtree triggers a discovery request.
<!-- Device-{eUICC}-DownloadServers-{ServerName}-Description-End -->
<!-- Device-{eUICC}-DownloadServers-{ServerName}-Editable-Begin -->
@ -353,7 +353,7 @@ Indicates whether the discovered profile must be enabled automatically after ins
<!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Description-Begin -->
<!-- Description-Source-DDF -->
Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
Current state of the discovery operation for this server (Requested = 1, Executing = 2, Completed = 3, Failed = 4).
<!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Description-End -->
<!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Editable-Begin -->
@ -393,7 +393,7 @@ Current state of the discovery operation for the parent ServerName (Requested =
<!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the server is a discovery server. Optional, default value is false.
Indicates whether the server is a discovery server or if it's used for bulk download. A discovery server is used every time a user requests a profile discovery operation. Optional, default value is false.
<!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Description-End -->
<!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Editable-Begin -->
@ -442,7 +442,7 @@ Indicates whether the server is a discovery server. Optional, default value is f
<!-- Device-{eUICC}-Identifier-Description-Begin -->
<!-- Description-Source-DDF -->
The EID.
The unique eUICC identifier (EID).
<!-- Device-{eUICC}-Identifier-Description-End -->
<!-- Device-{eUICC}-Identifier-Editable-Begin -->
@ -560,7 +560,7 @@ Device policies associated with the eUICC as a whole (not per-profile).
<!-- Device-{eUICC}-Policies-LocalUIEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
Determines whether or not the user can make changes to the eSIM through the user interface.
<!-- Device-{eUICC}-Policies-LocalUIEnabled-Description-End -->
<!-- Device-{eUICC}-Policies-LocalUIEnabled-Editable-Begin -->
@ -609,7 +609,7 @@ Determines whether the local user interface of the LUI is available (true if ava
<!-- Device-{eUICC}-PPR1Allowed-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 isn't allowed.
Indicates whether the download of a profile with Profile Policy Rule 1 (PPR1) is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 isn't allowed.
<!-- Device-{eUICC}-PPR1Allowed-Description-End -->
<!-- Device-{eUICC}-PPR1Allowed-Editable-Begin -->
@ -648,7 +648,7 @@ Indicates whether the download of a profile with PPR1 is allowed. If the eUICC h
<!-- Device-{eUICC}-PPR1AlreadySet-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the eUICC has already a profile with PPR1.
Indicates whether the eUICC has already a profile with Profile Policy Rule 1 (PPR1).
<!-- Device-{eUICC}-PPR1AlreadySet-Description-End -->
<!-- Device-{eUICC}-PPR1AlreadySet-Editable-Begin -->
@ -687,7 +687,7 @@ Indicates whether the eUICC has already a profile with PPR1.
<!-- Device-{eUICC}-Profiles-Description-Begin -->
<!-- Description-Source-DDF -->
Represents all enterprise-owned profiles.
Represents all enterprise-owned eSIM profiles.
<!-- Device-{eUICC}-Profiles-Description-End -->
<!-- Device-{eUICC}-Profiles-Editable-Begin -->
@ -726,7 +726,7 @@ Represents all enterprise-owned profiles.
<!-- Device-{eUICC}-Profiles-{ICCID}-Description-Begin -->
<!-- Description-Source-DDF -->
Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
Node representing an enterprise-owned eSIM profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
<!-- Device-{eUICC}-Profiles-{ICCID}-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-Editable-Begin -->
@ -806,7 +806,7 @@ Detailed error if the profile download and install procedure failed (None = 0, C
<!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.
Indicates whether this eSIM profile is enabled. Can be set by both the MDM and the CSP.
<!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Editable-Begin -->
@ -854,7 +854,7 @@ Indicates whether this profile is enabled. Can be set by the MDM when the ICCID
<!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Description-Begin -->
<!-- Description-Source-DDF -->
Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
Matching ID (activation code token) for eSIM profile download. Must be set by the MDM when the ICCID subtree is created.
<!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Editable-Begin -->
@ -894,7 +894,7 @@ Matching ID (activation code token) for profile download. Must be set by the MDM
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Description-Begin -->
<!-- Description-Source-DDF -->
This profile policy rule indicates whether disabling of this profile isn't allowed (true if not allowed, false otherwise).
Profile Policy Rule 1 (PPR1) indicates whether disabling of this profile isn't allowed (true if not allowed, false otherwise).
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Editable-Begin -->
@ -933,7 +933,7 @@ This profile policy rule indicates whether disabling of this profile isn't allow
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Description-Begin -->
<!-- Description-Source-DDF -->
This profile policy rule indicates whether deletion of this profile isn't allowed (true if not allowed, false otherwise).
Profile Policy Rule 2 (PPR2) indicates whether deletion of this profile isn't allowed (true if not allowed, false otherwise).
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Editable-Begin -->
@ -972,7 +972,7 @@ This profile policy rule indicates whether deletion of this profile isn't allowe
<!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Description-Begin -->
<!-- Description-Source-DDF -->
Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
Fully qualified domain name of the server that can download this eSIM profile. Must be set by the MDM when the ICCID subtree is created.
<!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Editable-Begin -->
@ -1011,7 +1011,7 @@ Fully qualified domain name of the SM-DP+ that can download this profile. Must b
<!-- Device-{eUICC}-Profiles-{ICCID}-State-Description-Begin -->
<!-- Description-Source-DDF -->
Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
Current state of the eSIM profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4).
<!-- Device-{eUICC}-Profiles-{ICCID}-State-Description-End -->
<!-- Device-{eUICC}-Profiles-{ICCID}-State-Editable-Begin -->

38
windows/client-management/mdm/euiccs-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -84,7 +84,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>The EID.</Description>
<Description>The unique eUICC identifier (EID).</Description>
<DFFormat>
<chr />
</DFFormat>
@ -129,7 +129,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.</Description>
<Description>Indicates whether the download of a profile with Profile Policy Rule 1 (PPR1) is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -150,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>Indicates whether the eUICC has already a profile with PPR1.</Description>
<Description>Indicates whether the eUICC has already a profile with Profile Policy Rule 1 (PPR1).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -171,7 +171,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>Represents default SM-DP+ discovery requests.</Description>
<Description>Represents servers used for bulk provisioning and eSIM discovery.</Description>
<DFFormat>
<node />
</DFFormat>
@ -199,7 +199,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
<Replace />
</AccessType>
<Description>Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.</Description>
<Description>Node representing a bulk download/discovery server. The node name is the fully qualified domain name of the server that will be used. Creation of this subtree triggers a discovery request.</Description>
<DFFormat>
<node />
</DFFormat>
@ -224,7 +224,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.</Description>
<Description>Current state of the discovery operation for this server (Requested = 1, Executing = 2, Completed = 3, Failed = 4).</Description>
<DFFormat>
<int />
</DFFormat>
@ -281,7 +281,7 @@ The following XML file contains the device description framework (DDF) for the e
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Indicates whether the server is a discovery server. Optional, default value is false.</Description>
<Description>Indicates whether the server is a discovery server or if it is used for bulk download. A discovery server is used every time a user requests a profile discovery operation. Optional, default value is false.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -318,7 +318,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>Represents all enterprise-owned profiles.</Description>
<Description>Represents all enterprise-owned eSIM profiles.</Description>
<DFFormat>
<node />
</DFFormat>
@ -342,7 +342,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
<Replace />
</AccessType>
<Description>Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
<Description>Node representing an enterprise-owned eSIM profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
<DFFormat>
<node />
</DFFormat>
@ -368,7 +368,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
<Replace />
</AccessType>
<Description>Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.</Description>
<Description>Fully qualified domain name of the server that can download this eSIM profile. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -396,7 +396,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
<Replace />
</AccessType>
<Description>Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
<Description>Matching ID (activation code token) for eSIM profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -424,7 +424,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.</Description>
<Description>Current state of the eSIM profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4).</Description>
<DFFormat>
<int />
</DFFormat>
@ -447,7 +447,7 @@ The following XML file contains the device description framework (DDF) for the e
<Get />
<Replace />
</AccessType>
<Description>Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.</Description>
<Description>Indicates whether this eSIM profile is enabled. Can be set by both the MDM and the CSP.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -482,7 +482,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).</Description>
<Description>Profile Policy Rule 1 (PPR1) indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -503,7 +503,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).</Description>
<Description>Profile Policy Rule 2 (PPR2) indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -570,7 +570,7 @@ The following XML file contains the device description framework (DDF) for the e
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.</Description>
<Description>Determines whether or not the user can make changes to the eSIM through the user interface.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -602,7 +602,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Get />
</AccessType>
<Description>Actions that can be performed on the eUICC as a whole (when it is active).</Description>
<Description>Actions that can be performed on the eUICC as a whole.</Description>
<DFFormat>
<node />
</DFFormat>
@ -622,7 +622,7 @@ The following XML file contains the device description framework (DDF) for the e
<AccessType>
<Exec />
</AccessType>
<Description>An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.</Description>
<Description>This triggers an eUICC Memory Reset, which erases all the eSIM profiles in the eUICC.</Description>
<DFFormat>
<chr />
</DFFormat>

7
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/07/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2182,6 +2182,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md)
- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md)
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md)
- [DevDriveAttachPolicy](policy-csp-filesystem.md)
## InternetExplorer
- [AddSearchProvider](policy-csp-internetexplorer.md)

6
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 09/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -836,6 +836,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md)
- [AllowInternetSharing](policy-csp-wifi.md)
## WindowsAI
- [TurnOffWindowsCopilot](policy-csp-windowsai.md)
## WindowsDefenderSecurityCenter
- [CompanyName](policy-csp-windowsdefendersecuritycenter.md)

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 09/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage

4
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1118,6 +1118,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [ExploitGuard](policy-csp-exploitguard.md)
- [FederatedAuthentication](policy-csp-federatedauthentication.md)
- [FileExplorer](policy-csp-fileexplorer.md)
- [FileSystem](policy-csp-filesystem.md)
- [Games](policy-csp-games.md)
- [Handwriting](policy-csp-handwriting.md)
- [HumanPresence](policy-csp-humanpresence.md)
@ -1175,6 +1176,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [VirtualizationBasedTechnology](policy-csp-virtualizationbasedtechnology.md)
- [WebThreatDefense](policy-csp-webthreatdefense.md)
- [Wifi](policy-csp-wifi.md)
- [WindowsAI](policy-csp-windowsai.md)
- [WindowsAutopilot](policy-csp-windowsautopilot.md)
- [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
- [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)

4
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -46,8 +46,8 @@ If you disable or don't configure this policy setting, then Microsoft won't be a
<!-- CommercialIdPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- CommercialIdPolicy-Editable-End -->
<!-- CommercialIdPolicy-DFProperties-Begin -->

15
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -3239,7 +3239,12 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
<!-- Scan_DisablePackedExeScanning-OmaUri-End -->
<!-- Scan_DisablePackedExeScanning-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scanning for packed executables. It's recommended that this type of scanning remain enabled.
- If you enable or don't configure this setting, packed executables will be scanned.
- If you disable this setting, packed executables won't be scanned.
<!-- Scan_DisablePackedExeScanning-Description-End -->
<!-- Scan_DisablePackedExeScanning-Editable-Begin -->
@ -3256,7 +3261,6 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
<!-- Scan_DisablePackedExeScanning-DFProperties-End -->
<!-- Scan_DisablePackedExeScanning-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -3264,6 +3268,11 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
| Name | Value |
|:--|:--|
| Name | Scan_DisablePackedExeScanning |
| Friendly Name | Scan packed executables |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
| Registry Value Name | DisablePackedExeScanning |
| ADMX File Name | WindowsDefender.admx |
<!-- Scan_DisablePackedExeScanning-AdmxBacked-End -->

5
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2457,6 +2457,9 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
- If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
- If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level.
> [!NOTE]
> AAD Per User mode is deprecated on Windows 11 and above.
<!-- TS_LICENSING_MODE-Description-End -->
<!-- TS_LICENSING_MODE-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -228,7 +228,6 @@ Override minimal enabled TLS version for client role. Last write wins.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-Begin -->
@ -268,7 +267,6 @@ Override minimal enabled TLS version for server role. Last write wins.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-Begin -->
@ -308,7 +306,6 @@ Override minimal enabled TLS version for client role. Last write wins.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-Begin -->
@ -348,7 +345,6 @@ Override minimal enabled TLS version for server role. Last write wins.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-Begin -->

10
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the FileExplorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -145,7 +145,7 @@ When This PC location is restricted, give the user the option to enumerate and n
<!-- DisableGraphRecentItems-Description-Begin -->
<!-- Description-Source-ADMX -->
Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
<!-- DisableGraphRecentItems-Description-End -->
<!-- DisableGraphRecentItems-Editable-Begin -->
@ -167,8 +167,8 @@ Turning off files from Office.com will prevent File Explorer from requesting rec
| Value | Description |
|:--|:--|
| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. |
| 1 | File Explorer won't request cloud file metadata or display it in the Quick access view. |
| 0 (Default) | File Explorer will request cloud file metadata and display it in the homepage and other views. |
| 1 | File Explorer won't request cloud file metadata or display it in the homepage or other views. |
<!-- DisableGraphRecentItems-AllowedValues-End -->
<!-- DisableGraphRecentItems-GpMapping-Begin -->
@ -177,7 +177,7 @@ Turning off files from Office.com will prevent File Explorer from requesting rec
| Name | Value |
|:--|:--|
| Name | DisableGraphRecentItems |
| Friendly Name | Turn off files from Office.com in Quick access view |
| Friendly Name | Turn off account-based insights, recent, favorite, and recommended files in File Explorer |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |

152
windows/client-management/mdm/policy-csp-filesystem.md Normal file
View File

@ -0,0 +1,152 @@
---
title: FileSystem Policy CSP
description: Learn more about the FileSystem Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- FileSystem-Begin -->
# Policy CSP - FileSystem
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- FileSystem-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- FileSystem-Editable-End -->
<!-- DevDriveAttachPolicy-Begin -->
## DevDriveAttachPolicy
<!-- DevDriveAttachPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DevDriveAttachPolicy-Applicability-End -->
<!-- DevDriveAttachPolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FileSystem/DevDriveAttachPolicy
```
<!-- DevDriveAttachPolicy-OmaUri-End -->
<!-- DevDriveAttachPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
Dev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.
A reboot is required for this setting to take effect.
<!-- DevDriveAttachPolicy-Description-End -->
<!-- DevDriveAttachPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DevDriveAttachPolicy-Editable-End -->
<!-- DevDriveAttachPolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DevDriveAttachPolicy-DFProperties-End -->
<!-- DevDriveAttachPolicy-AdmxBacked-Begin -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DevDriveAttachPolicy |
| Friendly Name | Dev drive filter attach policy |
| Location | Computer Configuration |
| Path | System > Filesystem |
| Registry Key Name | System\CurrentControlSet\Policies |
| ADMX File Name | filtermanager.admx |
<!-- DevDriveAttachPolicy-AdmxBacked-End -->
<!-- DevDriveAttachPolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DevDriveAttachPolicy-Examples-End -->
<!-- DevDriveAttachPolicy-End -->
<!-- EnableDevDrive-Begin -->
## EnableDevDrive
<!-- EnableDevDrive-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableDevDrive-Applicability-End -->
<!-- EnableDevDrive-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FileSystem/EnableDevDrive
```
<!-- EnableDevDrive-OmaUri-End -->
<!-- EnableDevDrive-Description-Begin -->
<!-- Description-Source-ADMX -->
Dev drive or developer volume is a volume optimized for performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume.
Disabling this setting will disallow creation of new developer volumes, existing developer volumes will mount as regular volumes.
If this setting isn't configured the default policy is to enable developer volumes while allowing antivirus filter to attach on a deveveloper volume. Further, if not configured, a local administrator can choose to not have antivirus filter attached to a developer volume.
A reboot is required for this setting to take effect.
<!-- EnableDevDrive-Description-End -->
<!-- EnableDevDrive-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableDevDrive-Editable-End -->
<!-- EnableDevDrive-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableDevDrive-DFProperties-End -->
<!-- EnableDevDrive-AdmxBacked-Begin -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableDevDrive |
| Friendly Name | Enable dev drive |
| Location | Computer Configuration |
| Path | System > Filesystem |
| Registry Key Name | System\CurrentControlSet\Policies |
| Registry Value Name | FsEnableDevDrive |
| ADMX File Name | refs.admx |
<!-- EnableDevDrive-AdmxBacked-End -->
<!-- EnableDevDrive-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableDevDrive-Examples-End -->
<!-- EnableDevDrive-End -->
<!-- FileSystem-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- FileSystem-CspMoreInfo-End -->
<!-- FileSystem-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

42
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -4,7 +4,7 @@ description: Learn more about the HumanPresence Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -38,8 +38,8 @@ ms.topic: reference
<!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether Allow Adaptive Dimming When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- Description-Source-ADMX -->
Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForceAllowDimWhenExternalDisplayConnected-Description-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-Editable-Begin -->
@ -72,7 +72,12 @@ Determines whether Allow Adaptive Dimming When External Display Connected checkb
| Name | Value |
|:--|:--|
| Name | ForceAllowDimWhenExternalDisplayConnected |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
| Friendly Name | Force Allow Dim When External Display Connected |
| Location | Computer Configuration |
| Path | Windows Components > Human Presence |
| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
| Registry Value Name | ForceAllowDimWhenExternalDisplayConnected |
| ADMX File Name | Sensors.admx |
<!-- ForceAllowDimWhenExternalDisplayConnected-GpMapping-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-Examples-Begin -->
@ -97,8 +102,8 @@ Determines whether Allow Adaptive Dimming When External Display Connected checkb
<!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether Allow Lock on Leave When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- Description-Source-ADMX -->
Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForceAllowLockWhenExternalDisplayConnected-Description-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-Editable-Begin -->
@ -131,7 +136,12 @@ Determines whether Allow Lock on Leave When External Display Connected checkbox
| Name | Value |
|:--|:--|
| Name | ForceAllowLockWhenExternalDisplayConnected |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
| Friendly Name | Force Allow Lock When External Display Connected |
| Location | Computer Configuration |
| Path | Windows Components > Human Presence |
| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
| Registry Value Name | ForceAllowLockWhenExternalDisplayConnected |
| ADMX File Name | Sensors.admx |
<!-- ForceAllowLockWhenExternalDisplayConnected-GpMapping-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-Examples-Begin -->
@ -156,7 +166,7 @@ Determines whether Allow Lock on Leave When External Display Connected checkbox
<!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-End -->
<!-- ForceAllowWakeWhenExternalDisplayConnected-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
Determines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForceAllowWakeWhenExternalDisplayConnected-Description-End -->
@ -190,7 +200,12 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
| Name | Value |
|:--|:--|
| Name | ForceAllowWakeWhenExternalDisplayConnected |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
| Friendly Name | Force Allow Wake When External Display Connected |
| Location | Computer Configuration |
| Path | Windows Components > Human Presence |
| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
| Registry Value Name | ForceAllowWakeWhenExternalDisplayConnected |
| ADMX File Name | Sensors.admx |
<!-- ForceAllowWakeWhenExternalDisplayConnected-GpMapping-End -->
<!-- ForceAllowWakeWhenExternalDisplayConnected-Examples-Begin -->
@ -215,7 +230,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
<!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-End -->
<!-- ForceDisableWakeWhenBatterySaverOn-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
Determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForceDisableWakeWhenBatterySaverOn-Description-End -->
@ -249,7 +264,12 @@ Determines whether Disable Wake on Approach When Battery Saver On checkbox is fo
| Name | Value |
|:--|:--|
| Name | ForceDisableWakeWhenBatterySaverOn |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
| Friendly Name | Force Disable Wake When Battery Saver On |
| Location | Computer Configuration |
| Path | Windows Components > Human Presence |
| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
| Registry Value Name | ForceDisableWakeWhenBatterySaverOn |
| ADMX File Name | Sensors.admx |
<!-- ForceDisableWakeWhenBatterySaverOn-GpMapping-End -->
<!-- ForceDisableWakeWhenBatterySaverOn-Examples-Begin -->

106
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/29/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -490,6 +490,110 @@ The following XML string is an example of the value for this policy:
<!-- ConfigureNtpClient-End -->
<!-- ConfigureSharedAccount-Begin -->
## ConfigureSharedAccount
<!-- ConfigureSharedAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureSharedAccount-Applicability-End -->
<!-- ConfigureSharedAccount-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureSharedAccount
```
<!-- ConfigureSharedAccount-OmaUri-End -->
<!-- ConfigureSharedAccount-Description-Begin -->
<!-- Description-Source-DDF -->
This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are AAD accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access AAD resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
<!-- ConfigureSharedAccount-Description-End -->
<!-- ConfigureSharedAccount-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSharedAccount-Editable-End -->
<!-- ConfigureSharedAccount-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureSharedAccount-DFProperties-End -->
<!-- ConfigureSharedAccount-AllowedValues-Begin -->
**Allowed values**:
<br>
<details>
<summary>Expand to see schema XML</summary>
```xml
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="SharedAccountConfiguration">
<xsd:complexType mixed="true">
<xsd:sequence>
<xsd:element minOccurs="1" maxOccurs="1" name="SharedAccount">
<xsd:complexType>
<xsd:sequence>
<xsd:choice>
<xsd:element name="IssuerThumbprint">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:maxLength value="40" />
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<xsd:element name="IssuerName">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:maxLength value="512" />
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
</xsd:choice>
<xsd:element minOccurs="0" maxOccurs="1" name="EkuOidRequirements">
<xsd:complexType>
<xsd:sequence>
<xsd:element maxOccurs="5" name="Oid">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:maxLength value="100" />
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element minOccurs="0" maxOccurs="1" name="AutoLogon">
<xsd:complexType>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute name="forced" type="xsd:boolean" />
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
```
</details>
<!-- ConfigureSharedAccount-AllowedValues-End -->
<!-- ConfigureSharedAccount-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSharedAccount-Examples-End -->
<!-- ConfigureSharedAccount-End -->
<!-- DisallowNetworkConnectivityPassivePolling-Begin -->
## DisallowNetworkConnectivityPassivePolling

8
windows/client-management/mdm/policy-csp-multitasking.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Multitasking Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -37,9 +37,9 @@ ms.topic: reference
<!-- BrowserAltTabBlowout-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting controls the inclusion of Microsoft Edge tabs into Alt+Tab.
This setting controls the inclusion of app tabs into Alt+Tab.
This can be set to show all tabs, the most recent 3 or 5 tabs, or no tabs from Microsoft Edge.
This can be set to show the most recent 3, 5 or 20 tabs, or no tabs from apps.
If this is set to show "Open windows only", the whole feature will be disabled.
<!-- BrowserAltTabBlowout-Description-End -->
@ -82,7 +82,7 @@ This policy only applies to the Alt+Tab switcher. When the policy isn't enabled,
| Name | Value |
|:--|:--|
| Name | BrowserAltTabBlowout |
| Friendly Name | Configure the inclusion of Microsoft Edge tabs into Alt-Tab |
| Friendly Name | Configure the inclusion of app tabs into Alt-Tab |
| Element Name | Pressing Alt + Tab shows. |
| Location | User Configuration |
| Path | Windows Components > Multitasking |

36
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -38,8 +38,16 @@ ms.topic: reference
<!-- DisableAccountNotifications-OmaUri-End -->
<!-- DisableAccountNotifications-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription. If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start.
<!-- Description-Source-ADMX -->
This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile).
Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription.
- If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start.
- If you disable or don't configure this policy setting, Windows will send account related notifications for local and MSA users to the user tile in Start.
No reboots or service restarts are required for this policy setting to take effect.
<!-- DisableAccountNotifications-Description-End -->
<!-- DisableAccountNotifications-Editable-Begin -->
@ -71,7 +79,12 @@ This policy allows you to prevent Windows from displaying notifications to Micro
| Name | Value |
|:--|:--|
| Name | DisableAccountNotifications |
| Path | AccountNotifications > AT > WindowsComponents > AccountNotifications |
| Friendly Name | Turn off account notifications in Start |
| Location | User Configuration |
| Path | Windows Components > Account Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AccountNotifications |
| Registry Value Name | DisableAccountNotifications |
| ADMX File Name | AccountNotifications.admx |
<!-- DisableAccountNotifications-GpMapping-End -->
<!-- DisableAccountNotifications-Examples-Begin -->
@ -318,12 +331,16 @@ No reboots or service restarts are required for this policy setting to take effe
<!-- EnableExpandedToastNotifications-OmaUri-End -->
<!-- EnableExpandedToastNotifications-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting turns on multiple expanded toast notifications in action center.
- If you enable this policy setting, the first three notifications of each application will be expanded by default in action center.
- If you disable or don't configure this policy setting, only the first notification of each application will be expanded by default in action center. Windows 10 only. This will be immediately deprecated for Windows 11. No reboots or service restarts are required for this policy setting to take effect.
- If you disable or don't configure this policy setting, only the first notification of each application will be expanded by default in action center.
Windows 10 only. This will be immediately deprecated for Windows 11.
No reboots or service restarts are required for this policy setting to take effect.
<!-- EnableExpandedToastNotifications-Description-End -->
<!-- EnableExpandedToastNotifications-Editable-Begin -->
@ -355,7 +372,12 @@ This policy setting turns on multiple expanded toast notifications in action cen
| Name | Value |
|:--|:--|
| Name | ExpandedToastNotifications |
| Path | WPN > AT > StartMenu > NotificationsCategory |
| Friendly Name | Turn on multiple expanded toast notifications in action center |
| Location | User Configuration |
| Path | Start Menu and Taskbar > Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
| Registry Value Name | EnableExpandedToastNotifications |
| ADMX File Name | WPN.admx |
<!-- EnableExpandedToastNotifications-GpMapping-End -->
<!-- EnableExpandedToastNotifications-Examples-Begin -->

95
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2946,8 +2946,20 @@ If an app is open when this Group Policy object is applied on a device, employee
<!-- LetAppsAccessHumanPresence-OmaUri-End -->
<!-- LetAppsAccessHumanPresence-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting specifies whether Windows apps can access the human presence sensor.
<!-- Description-Source-ADMX -->
This policy setting specifies whether Windows apps can access presence sensing.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessHumanPresence-Description-End -->
<!-- LetAppsAccessHumanPresence-Editable-Begin -->
@ -2980,8 +2992,12 @@ This policy setting specifies whether Windows apps can access the human presence
| Name | Value |
|:--|:--|
| Name | LetAppsAccessHumanPresence |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessHumanPresence_Enum |
| Friendly Name | Let Windows apps access presence sensing |
| Element Name | Default for all apps. |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
<!-- LetAppsAccessHumanPresence-GpMapping-End -->
<!-- LetAppsAccessHumanPresence-Examples-Begin -->
@ -3006,8 +3022,20 @@ This policy setting specifies whether Windows apps can access the human presence
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the human presence sensor. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
<!-- Description-Source-ADMX -->
This policy setting specifies whether Windows apps can access presence sensing.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Description-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Editable-Begin -->
@ -3030,8 +3058,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
| Name | Value |
|:--|:--|
| Name | LetAppsAccessHumanPresence |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessHumanPresence_ForceAllowTheseApps_List |
| Friendly Name | Let Windows apps access presence sensing |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-GpMapping-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Examples-Begin -->
@ -3056,8 +3087,20 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the human presence sensor. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
<!-- Description-Source-ADMX -->
This policy setting specifies whether Windows apps can access presence sensing.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Description-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Editable-Begin -->
@ -3080,8 +3123,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
| Name | Value |
|:--|:--|
| Name | LetAppsAccessHumanPresence |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessHumanPresence_ForceDenyTheseApps_List |
| Friendly Name | Let Windows apps access presence sensing |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-GpMapping-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Examples-Begin -->
@ -3106,8 +3152,20 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the human presence privacy setting for the listed apps. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
<!-- Description-Source-ADMX -->
This policy setting specifies whether Windows apps can access presence sensing.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Description-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Editable-Begin -->
@ -3130,8 +3188,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
| Name | Value |
|:--|:--|
| Name | LetAppsAccessHumanPresence |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessHumanPresence_UserInControlOfTheseApps_List |
| Friendly Name | Let Windows apps access presence sensing |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-GpMapping-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Examples-Begin -->

17
windows/client-management/mdm/policy-csp-settingssync.md
View File

@ -4,7 +4,7 @@ description: Learn more about the SettingsSync Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -101,7 +101,14 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
<!-- DisableLanguageSettingSync-OmaUri-End -->
<!-- DisableLanguageSettingSync-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
Prevent the "language preferences" group from syncing to and from this PC. This turns off and disables the "languages preferences" group on the "Windows backup" settings page in PC settings.
If you enable this policy setting, the "language preferences", group won't be synced.
Use the option "Allow users to turn language preferences syncing on" so that syncing is turned off by default but not disabled.
If you don't set or disable this setting, syncing of the "language preferences" group is on by default and configurable by the user.
<!-- DisableLanguageSettingSync-Description-End -->
<!-- DisableLanguageSettingSync-Editable-Begin -->
@ -118,7 +125,6 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
<!-- DisableLanguageSettingSync-DFProperties-End -->
<!-- DisableLanguageSettingSync-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -126,6 +132,11 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
| Name | Value |
|:--|:--|
| Name | DisableLanguageSettingSync |
| Friendly Name | Do not sync language preferences settings |
| Location | Computer Configuration |
| Path | Windows Components > Sync your settings |
| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
| Registry Value Name | DisableLanguageSettingSync |
| ADMX File Name | SettingSync.admx |
<!-- DisableLanguageSettingSync-AdmxBacked-End -->

15
windows/client-management/mdm/policy-csp-start.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 09/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1430,7 +1430,7 @@ To validate this policy, do the following steps:
<!-- HideRecommendedPersonalizedSites-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.1928] and later |
<!-- HideRecommendedPersonalizedSites-Applicability-End -->
<!-- HideRecommendedPersonalizedSites-OmaUri-Begin -->
@ -1444,8 +1444,8 @@ To validate this policy, do the following steps:
<!-- HideRecommendedPersonalizedSites-OmaUri-End -->
<!-- HideRecommendedPersonalizedSites-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu.
<!-- Description-Source-ADMX -->
Remove Personalized Website Recommendations from the Recommended section in the Start Menu.
<!-- HideRecommendedPersonalizedSites-Description-End -->
<!-- HideRecommendedPersonalizedSites-Editable-Begin -->
@ -1477,7 +1477,12 @@ This policy setting allows you to hide the personalized websites in the recommen
| Name | Value |
|:--|:--|
| Name | HideRecommendedPersonalizedSites |
| Path | StartMenu > AT > StartMenu |
| Friendly Name | Remove Personalized Website Recommendations from the Recommended section in the Start Menu |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | HideRecommendedPersonalizedSites |
| ADMX File Name | StartMenu.admx |
<!-- HideRecommendedPersonalizedSites-GpMapping-End -->
<!-- HideRecommendedPersonalizedSites-Examples-Begin -->

32
windows/client-management/mdm/policy-csp-system.md
View File

@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -111,6 +111,8 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage
<!-- AllowCommercialDataPipeline-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
@ -120,7 +122,7 @@ To enable this behavior:
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at <https://go.microsoft.com/fwlink/?LinkId=521839> unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing".
If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at <https://go.microsoft.com/fwlink/?LinkId=521839> unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing'.
See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
<!-- AllowCommercialDataPipeline-Description-End -->
@ -130,8 +132,8 @@ See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for i
> [!NOTE]
> Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- AllowCommercialDataPipeline-Editable-End -->
<!-- AllowCommercialDataPipeline-DFProperties-Begin -->
@ -189,6 +191,8 @@ See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for i
<!-- AllowDesktopAnalyticsProcessing-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
@ -206,8 +210,8 @@ This setting has no effect on devices unless they're properly enrolled in Deskto
<!-- AllowDesktopAnalyticsProcessing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- AllowDesktopAnalyticsProcessing-Editable-End -->
<!-- AllowDesktopAnalyticsProcessing-DFProperties-Begin -->
@ -578,8 +582,8 @@ This setting has no effect on devices unless they're properly enrolled in Micros
<!-- AllowMicrosoftManagedDesktopProcessing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- AllowMicrosoftManagedDesktopProcessing-Editable-End -->
<!-- AllowMicrosoftManagedDesktopProcessing-DFProperties-Begin -->
@ -751,6 +755,8 @@ If you disable or don't configure this policy setting, the device will send requ
<!-- AllowUpdateComplianceProcessing-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
@ -768,8 +774,8 @@ If you disable or don't configure this policy setting, devices won't appear in U
<!-- AllowUpdateComplianceProcessing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- AllowUpdateComplianceProcessing-Editable-End -->
<!-- AllowUpdateComplianceProcessing-DFProperties-Begin -->
@ -876,6 +882,8 @@ Specifies whether to allow the user to factory reset the device by using control
<!-- AllowWUfBCloudProcessing-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
@ -892,8 +900,8 @@ If you disable or don't configure this policy setting, devices enrolled to the W
<!-- AllowWUfBCloudProcessing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> [!NOTE]
> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
<!-- AllowWUfBCloudProcessing-Editable-End -->
<!-- AllowWUfBCloudProcessing-DFProperties-Begin -->

19
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -40,8 +40,14 @@ ms.topic: reference
<!-- AutomaticDataCollection-OmaUri-End -->
<!-- AutomaticDataCollection-Description-Begin -->
<!-- Description-Source-DDF -->
Automatically collect website or app content when additional analysis is needed to help identify security threats.
<!-- Description-Source-ADMX -->
This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
- If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
- If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
- If this policy isn't set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
<!-- AutomaticDataCollection-Description-End -->
<!-- AutomaticDataCollection-Editable-Begin -->
@ -73,7 +79,12 @@ Automatically collect website or app content when additional analysis is needed
| Name | Value |
|:--|:--|
| Name | AutomaticDataCollection |
| Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense |
| Friendly Name | Automatic Data Collection |
| Location | Computer Configuration |
| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components |
| Registry Value Name | CaptureThreatWindow |
| ADMX File Name | WebThreatDefense.admx |
<!-- AutomaticDataCollection-GpMapping-End -->
<!-- AutomaticDataCollection-Examples-Begin -->

100
windows/client-management/mdm/policy-csp-windowsai.md Normal file
View File

@ -0,0 +1,100 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot
<!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
<!-- TurnOffWindowsCopilot-Applicability-End -->
<!-- TurnOffWindowsCopilot-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
```
<!-- TurnOffWindowsCopilot-OmaUri-End -->
<!-- TurnOffWindowsCopilot-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to turn off Windows Copilot.
- If you enable this policy setting, users won't be able to use Copilot. The Copilot icon won't appear on the taskbar either.
- If you disable or don't configure this policy setting, users will be able to use Copilot when it's available to them.
<!-- TurnOffWindowsCopilot-Description-End -->
<!-- TurnOffWindowsCopilot-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffWindowsCopilot-Editable-End -->
<!-- TurnOffWindowsCopilot-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- TurnOffWindowsCopilot-DFProperties-End -->
<!-- TurnOffWindowsCopilot-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enable Copilot. |
| 1 | Disable Copilot. |
<!-- TurnOffWindowsCopilot-AllowedValues-End -->
<!-- TurnOffWindowsCopilot-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffWindowsCopilot |
| Friendly Name | Turn off Windows Copilot |
| Location | User Configuration |
| Path | Windows Components > Windows Copilot |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot |
| Registry Value Name | TurnOffWindowsCopilot |
| ADMX File Name | WindowsCopilot.admx |
<!-- TurnOffWindowsCopilot-GpMapping-End -->
<!-- TurnOffWindowsCopilot-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffWindowsCopilot-Examples-End -->
<!-- TurnOffWindowsCopilot-End -->
<!-- WindowsAI-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-CspMoreInfo-End -->
<!-- WindowsAI-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

4
windows/client-management/mdm/toc.yml
View File

@ -440,6 +440,8 @@ items:
href: policy-csp-feeds.md
- name: FileExplorer
href: policy-csp-fileexplorer.md
- name: FileSystem
href: policy-csp-filesystem.md
- name: Games
href: policy-csp-games.md
- name: Handwriting
@ -554,6 +556,8 @@ items:
href: policy-csp-webthreatdefense.md
- name: Wifi
href: policy-csp-wifi.md
- name: WindowsAI
href: policy-csp-windowsai.md
- name: WindowsAutopilot
href: policy-csp-windowsautopilot.md
- name: WindowsConnectionManager

2
windows/client-management/mdm/vpnv2-csp.md
View File

@ -9037,7 +9037,7 @@ Profile example
<NativeProtocol>
<Type>Sstp</Type>
</NativeProtocol>
<RetryTimeinHours>168</RetryTimeinHours>
<RetryTimeInHours>168</RetryTimeInHours>
</ProtocolList>
<Authentication>
<UserMethod>Eap</UserMethod>

21
windows/configuration/changes-to-start-policies-in-windows-10.md
View File

@ -6,18 +6,17 @@ manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.topic: whats-new
ms.localizationpriority: medium
ms.date: 11/28/2017
ms.date: 08/18/2023
ms.technology: itpro-configure
---
# Changes to Group Policy settings for Windows 10 Start
**Applies to**:
**Applies to**
- Windows 10
- Windows 10
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
@ -33,7 +32,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
|Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.|
|Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.|
|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**|
|Prevent users from customizing their Start Screen|Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
|Prevent users from customizing their Start Screen|Use this policy with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)|
|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.|
|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.|
@ -45,11 +44,9 @@ These policy settings are available in **Administrative Templates\\Start Menu an
|Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.|
|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.|
## Deprecated Group Policy settings for Start
## <a href="" id="deprecated-group-policy-settings-for-start-"></a>Deprecated Group Policy settings for Start
The Start policy settings listed below don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
| Policy | When deprecated |
|----------------------------------------------------------------------------------|-----------------|
@ -92,7 +89,3 @@ The Start policy settings listed below don't work on Windows 10. Most of them w
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)

29
windows/configuration/configure-windows-10-taskbar.md
View File

@ -4,9 +4,9 @@ description: Administrators can pin more apps to the taskbar and remove default
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.topic: how-to
ms.localizationpriority: medium
ms.date: 01/18/2018
ms.date: 08/18/2023
ms.reviewer:
manager: aaroncz
ms.collection:
@ -26,7 +26,7 @@ You can specify different taskbar configurations based on device locale and regi
If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
@ -321,11 +321,18 @@ The resulting taskbar for computers in any other country region:
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Add image for secondary tiles](start-secondary-tiles.md)
[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)

111
windows/configuration/customize-and-export-start-layout.md
View File

@ -6,9 +6,9 @@ manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.topic: how-to
ms.localizationpriority: medium
ms.date: 09/18/2018
ms.date: 08/18/2023
ms.collection:
- highpri
- tier1
@ -17,7 +17,7 @@ ms.technology: itpro-configure
# Customize and export Start layout
**Applies to**
**Applies to**:
- Windows 10
@ -27,68 +27,66 @@ The easiest method for creating a customized Start layout to apply to other Wind
After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
>[!NOTE]
>Partial Start layout is only supported on Windows 10, version 1511 and later.
When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start.
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups.
> [!NOTE]
> Partial Start layout is only supported on Windows 10, version 1511 and later.
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
## Customize the Start screen on your test computer
### Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
**To prepare a test computer**
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
2. Create a new user account that you will use to customize the Start layout.
1. Create a new user account that you'll use to customize the Start layout.
**To customize Start**
1. Sign in to your test computer with the user account that you created.
1. Sign in to your test computer with the user account that you created.
2. Customize the Start layout as you want users to see it by using the following techniques:
1. Customize the Start layout as you want users to see it by using the following techniques:
- **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
- **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**.
To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
- **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
- **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**.
- **Drag tiles** on Start to reorder or group apps.
- **Drag tiles** on Start to reorder or group apps.
- **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
- **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.**
- **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
- **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
>[!IMPORTANT]
>In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
> [!IMPORTANT]
> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
>
>In earlier versions of Windows 10, no tile would be pinned.
> In earlier versions of Windows 10, no tile would be pinned.
## Export the Start layout
### Export the Start layout
When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
>[!IMPORTANT]
>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
> [!IMPORTANT]
> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
**To export the Start layout to an .xml file**
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
`Export-StartLayout -path <path><file name>.xml`
@ -100,7 +98,7 @@ When you have the Start layout that you want your users to see, use the [Export-
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet does not append the file name extension, and the policy settings require the extension.
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
@ -120,16 +118,15 @@ When you have the Start layout that you want your users to see, use the [Export-
</LayoutModificationTemplate>
```
3. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order)
1. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order)
>[!IMPORTANT]
>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path.
> [!IMPORTANT]
> If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path.
>[!NOTE]
>All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout.
> [!NOTE]
> All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout.
>
>For scripts and application tile pins to work correctly, follow these rules:
> For scripts and application tile pins to work correctly, follow these rules:
>
>* Executable files and scripts should be listed in \Program Files or wherever the installer of the app places them.
>
@ -141,11 +138,9 @@ When you have the Start layout that you want your users to see, use the [Export-
>
>* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\.
### Configure a partial Start layout
## Configure a partial Start layout
A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
![locked tile group.](images/start-pinned-app.png)
@ -157,30 +152,34 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
**To configure a partial Start screen layout**
1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer).
1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer).
2. [Export the Start layout](#export-the-start-layout).
3. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
1. [Export the Start layout](#export-the-start-layout).
1. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
```xml
<DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
```
4. Save the file and apply using any of the deployment methods.
1. Save the file and apply using any of the deployment methods.
> [!NOTE]
> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed.
## Related articles
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
## Related topics
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Add image for secondary tiles](start-secondary-tiles.md)
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)

23
windows/deployment/customize-boot-image.md
View File

@ -7,7 +7,7 @@ author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: article
ms.date: 08/22/2023
ms.date: 09/05/2023
ms.technology: itpro-deploy
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -108,7 +108,7 @@ Before modifying the desired boot image, make a backup copy of the boot image th
Adjust the above paths for 32-bit boot images (only available with Windows 10 ADKs).
The following commands backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**:
The following command backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**:
### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image:
@ -634,7 +634,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo
copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"
copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
```
@ -646,7 +646,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo
copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"
copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
```
@ -840,7 +840,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
**Example**:
```powershell
Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force
Remove-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force
```
For more information, see [Remove-Item](/powershell/module/microsoft.powershell.management/remove-item).
@ -1019,7 +1019,7 @@ This process updates the boot image used by Configuration Manager. It also updat
### Updating Configuration Manager boot media
After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also updat bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media).
After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also update bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media).
## Microsoft Deployment Toolkit (MDT) considerations
@ -1154,7 +1154,7 @@ then follow these steps to update the boot image in WDS:
---
2. Once the existing boot image in WDS has been replaced, restart the WDS service:
1. Once the existing boot image in WDS has been replaced, restart the WDS service:
#### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
@ -1233,7 +1233,7 @@ then follow these steps to add the boot image in WDS:
---
2. Once the existing boot image in WDS has been replaced, restart the WDS service:
1. Once the existing boot image in WDS has been replaced, restart the WDS service:
#### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
@ -1271,7 +1271,12 @@ The **boot.wim** that is part of Windows installation media isn't supported for
## Windows Server 2012 R2
This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2).
This walk-through isn't intended for use with Windows Server 2012 R2. The steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). To resolve compatibility problems with newer ADKs and Windows Server 2012 R2:
1. Upgrade Windows Server 2012 R2 to a newer version of Windows Server.
1. Perform the boot image customizations on a computer running a version of Windows that supports the newer ADKs, for example Windows 10 or Windows 11, and then transfer the modified boot image to the Windows Server 2012 R2 server.
For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2).
## Related articles

4
windows/deployment/update/check-release-health.md
View File

@ -13,7 +13,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/07/2023
ms.date: 09/08/2023
---
# How to check Windows release health
@ -36,7 +36,7 @@ Ensure the following prerequisites are met to display the Windows release health
- Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
> [!NOTE]
> Currently, Windows release health isn't available for Government Community Cloud (GCC) tenants.
> Currently, Windows release health is available for Government Community Cloud (GCC) tenants, but isn't available for GCC High and DoD. <!--8337541-->
## How to review Windows release health information

2
windows/deployment/usmt/usmt-best-practices.md
View File

@ -69,7 +69,7 @@ As the authorized administrator, it is your responsibility to protect the privac
- **Maintain security of the file server and the deployment server**
We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://www.microsoft.com/download/details.aspx?id=53353).
- **Password Migration**

198
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -5,14 +5,14 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 09/18/2023
ms.topic: article
ms.technology: itpro-deploy
---
# Exclude files and settings
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition, you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
Methods to customize the migration and include and exclude files and settings include:
@ -33,7 +33,8 @@ We recommend that you create a custom .xml file instead of modifying the default
The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **&lt;component&gt;** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **&lt;include&gt;** and **&lt;exclude&gt;** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
> [!NOTE]
> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you do not specify an **&lt;include&gt;** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
>
> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you don't specify an **&lt;include&gt;** rule, the specific files or settings aren't included. They're already excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
@ -82,16 +83,16 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
<displayName _locID="miguser.sharedvideo">Test component</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\Data\temp\* [*]</pattern>
</objectSet>
</exclude>
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\Data\temp\* [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
@ -104,23 +105,23 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
</migration>
```
@ -130,35 +131,35 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
</migration>
```
### Example 5: How to exclude a file from any location
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files are excluded.
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files are excluded.
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
@ -174,15 +175,15 @@ The following .xml file excludes all `.mp3` files from the migration:
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
<component context="System" type="Documents">
<component context="System" type="Documents">
<displayName>Test</displayName>
<role role="Data">
<rules>
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
</objectSet>
</unconditionalExclude>
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
@ -199,11 +200,11 @@ The following .xml file excludes only the files located on the C: drive.
<displayName>Test</displayName>
<role role="Data">
<rules>
<unconditionalExclude>
<unconditionalExclude>
<objectSet>
<pattern type="File">c:\*[*]</pattern>
<pattern type="File">c:\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</unconditionalExclude>
</rules>
</role>
</component>
@ -217,53 +218,53 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="User">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="Registry">HKCU\testReg[*]</pattern>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="Registry">HKCU\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
<component type="Documents" context="User">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="Registry">HKCU\testReg[*]</pattern>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="Registry">HKCU\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
</migration>
```
##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. All `*.docx`, `*.xls` and `*.ppt` files aren't migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="System">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="File">C:\Program Files\* [*]</pattern>
<pattern type="File">C:\Windows\* [*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="File">C:\Program Files\* [*]</pattern>
<pattern type="File">C:\Windows\* [*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
</migration>
```
@ -275,12 +276,13 @@ You can create and modify a `Config.xml` file if you want to exclude components
- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **&lt;WindowsComponents&gt;** section.
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Note that any **&lt;include&gt;** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't.
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Any **&lt;include&gt;** rules in the .xml files are still applied. For example, if you have a rule that includes all the .docx files in My Documents, then .docx files are still migrated. However, any additional files that aren't .docx aren't migrated.
For more information, see [Config.xml File](usmt-configxml-file.md).
> [!NOTE]
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
>
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file doesn't exclude the component from your migration.
## Related articles

4
windows/deployment/windows-autopatch/TOC.yml
View File

@ -123,10 +123,10 @@
href: references/windows-autopatch-windows-update-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise update policies
href: references/windows-autopatch-microsoft-365-policies.md
- name: Conflicting configurations
href: references/windows-autopatch-conflicting-configurations.md
- name: Changes made at tenant enrollment
href: references/windows-autopatch-changes-to-tenant.md
- name: Driver and firmware updates public preview addendum
href: references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
- name: What's new
href:
items:

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
View File

@ -1,7 +1,7 @@
---
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
View File

@ -68,7 +68,7 @@ Before you start managing Autopatch groups, ensure youve met the following pr
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Windows Autopatch** section, select **Release management**.
1. In the **Release management** blade, select **Autopatch groups (preview)**.
1. In the **Release management** blade, select **Autopatch groups**.
1. In the **Autopatch groups** blade, select **Create**.
1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Edge
description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
View File

@ -29,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
| Modes | Description |
| ----- | -----|
| Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
## Set driver and firmware updates to Automatic or Self-managed mode

2
windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Teams
description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual

4
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -55,7 +55,7 @@ For more information and assistance with preparing for your Windows Autopatch de
| [Register devices](../deploy/windows-autopatch-register-devices.md)<ul><li>[Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)</li><li>[Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| Automatically assign devices to deployment rings at device registration<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul>| :x: | :heavy_check_mark: |
| Remediate registration issues<ul><li>[For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li></ul> | :heavy_check_mark: | :x: |
| Remediate registration issues<ul><li>[For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices with conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul> | :heavy_check_mark: | :x: |
| Populate the Test and Last deployment ring membership<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
| [Manually override device assignments to deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
| Review device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Device conflict across different Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-across-different-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
@ -87,7 +87,7 @@ For more information and assistance with preparing for your Windows Autopatch de
| [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</ul> | :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li><li>have [conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul>
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 07/11/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

153
windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Conflicting configurations
description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
ms.date: 09/05/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
ms.collection:
- highpri
- tier1
---
# Conflicting configurations (public preview)
> [!IMPORTANT]
> This feature is in **public preview**. The feature is being actively developed and might not be complete.
During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.
Windows Autopatch monitors conflicting configurations. Youre notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, its possible that other services write back the registry keys. Its recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
The most common sources of conflicting configurations include:
- Active Directory Group Policy (GPO)
- Configuration Manager Device client settings
- Windows Update for Business (WUfB) policies
- Manual registry updates
- Local Group Policy settings applied during imaging (LGPO)
## Registry keys inspected by Autopatch
```cmd
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer String=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any
```
## Resolving conflicts
Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients.
> [!IMPORTANT]
> **Its recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that arent managed by Windows Autopatch, be sure to target accordingly.
### Intune Remediation
Navigate to Intune Remediations and create a remediation using the following examples. Its recommended to create a single remediation per value to understand if the value persists after removal.
If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations).
#### Detect
```powershell
if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
Exit 1
} else {
exit 0
}
```
| Alert details | Description |
| ----- | ----- |
| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` |
| Value | `DoNotConnectToWindowsUpdateInternetLocations` |
#### Remediate
```powershell
if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
}
```
| Alert details | Description |
| ----- | ----- |
| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` |
| Value | `DoNotConnectToWindowsUpdateInternetLocations` |
### PowerShell
Copy and paste the following PowerShell script into PowerShell or a PowerShell editor, and save it with a `.ps1` extension. For more information, see [Remove-ItemProperty (Microsoft.PowerShell.Management)](/powershell/module/microsoft.powershell.management/remove-itemproperty).
```powershell
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableWindowsUpdateAccess"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate"
```
### Batch file
Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting; Management Services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN).
```cmd
@echo off
echo Deleting registry keys...
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f
echo Registry keys deleted.
Pause
```
### Registry file
Copy the following code to a Notepad file, save as a `.reg` extension, and execute against affected devices. This removes registry keys that affect the Windows Autopatch service. For more information, see [How to add, modify, or delete registry subkeys and values by using a .reg file](https://support.microsoft.com/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23).
```cmd
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=-
"DisableWindowsUpdateAccess"=-
"WUServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=-
"NoAutoUpdate"=-
```
## Common sources of conflicting configurations
The following examples can be used to validate if the configuration is persistent from one of the following services. The list isnt an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
### Group Policy management
Group Policy management is the most popular client configuration tool in most organizations. For this reason, its most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
1. Launch an Elevated Command Prompt and enter `RSOP`.
1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**
1. If a Policy **doesnt exist** in Windows Update, then it appears to not be Group Policy.
1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert.
1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager.
### Configuration Manager
Configuration Manager is a common enterprise management tool that, among many things, can help manage Windows Updates. For this reason, we see many environments misconfigured when moving to either a 100% cloud or co-managed workloads even when the workloads are configured correctly. The client settings are often missed. For more information, see [About client settings and software updates](/mem/configmgr/core/clients/deploy/about-client-settings#software-updates).
1. Go the **Microsoft Endpoint Configuration Manager Console**.
1. Navigate to **Administration** > **Overview** > **Client Settings**.
1. Ensure **Software Updates** isnt configured. If configured, its recommended to remove these settings to prevent conflicts with Windows Autopatch.
## Third-party solutions
Third-party solutions can include any other product that may write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers.

19
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 08/31/2023
ms.date: 09/11/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -21,6 +21,21 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## September 2023
### September feature releases or updates
| Article | Description |
| ----- | ----- |
| [Conflicting configurations](../references/windows-autopatch-conflicting-configurations.md) | New feature. This article explains how to remediate conflicting configurations<ul><li>[MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
### September service releases
| Message center post number | Description |
| ----- | ----- |
| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
## August 2023
### August feature releases or updates
@ -34,7 +49,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature <ul><li>[MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## August service releases
### August service releases
| Message center post number | Description |
| ----- | ----- |

2
windows/hub/index.yml
View File

@ -70,7 +70,7 @@ productDirectory:
- url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works
text: Windows Defender Credential Guard
text: Credential Guard
- url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust
text: Windows Hello for Business cloud Kerberos trust
- url: /windows/security/threat-protection/windows-defender-application-control

2
windows/privacy/Microsoft-DiagnosticDataViewer.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/13/2018
ms.topic: how-to
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

62
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/04/2020
ms.topic: conceptual
---
@ -70,61 +70,17 @@ For more info, see [Configure Windows diagnostic data in your organization](conf
Customers who use services that depend on Windows diagnostic data, such as [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data), may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
## Significant changes coming to the Windows diagnostic data processor configuration
Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
***Well stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, well be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsofts role in data processing.***
Were making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)
- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
- [Microsoft Managed Desktop](/managed-desktop/intro/)
- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
*(Additional licensing requirements may apply to use these services.)*
If you dont sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
## Significant change to the Windows diagnostic data processor configuration
> [!NOTE]
> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
> The information in this section applies to the following versions of Windows:
> - Windows 10, versions 20H2, 21H2, 22H2, and newer
> - Windows 11, versions 21H2, 22H2, and newer
### Rollout plan for this change
Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration.
This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined.
During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](/privacy/eudb/eu-data-boundary-learn).
- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
- The processor configuration will be disabled in any devices that were previously enabled.
- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
For other Windows devices (not in the Dev Channel), the change will rollout with the January 2023 release preview cumulative update for Windows 10 versions 20H2, 21H2 and 22H2, and Windows 11 versions 21H2 and 22H2.
To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
As part of this change, the following policies will no longer be supported to configure the processor option:
- Allow commercial data pipeline
- Allow Desktop Analytics Processing
- Allow Update Compliance Processing
- Allow WUfB Cloud Processing
- Allow Microsoft Managed Desktop Processing
- Configure the Commercial ID
For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration).

14
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/11/2016
ms.collection: highpri
ms.topic: conceptual
@ -321,10 +321,12 @@ For the best experience, use the most current build of any operating system spec
The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:
- us-v10c.events.data.microsoft.com (eu-v10c.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
- umwatsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
- watsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
- settings-win.data.microsoft.com
- *.blob.core.windows.net
Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed initially in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn).
>[!Note]
> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled.
> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions.
@ -342,20 +344,16 @@ Starting with the January 2023 preview cumulative update, how you enable the pro
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
> [!NOTE]
> The Windows diagnostic data processor configuration has components for which work is in progress to be included in the EU Data Boundary, but completion of this work is delayed beyond January 1, 2023. These components will be included in the EU Data Boundary in the coming months. In the meantime, Microsoft will temporarily transfer data out of the EU Data Boundary as part of service operations to ensure uninterrupted operation of the services customers signed up for.
From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)
- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
- [Microsoft Managed Desktop](/managed-desktop/intro/)
- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
- [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
- [Windows updates reports (in Microsoft Intune)](/mem/intune/protect/data-enable-windows-data#windows-data)
*(Additional licensing requirements may apply to use these services.)*

70
windows/privacy/copilot-supplemental-terms.md Normal file
View File

@ -0,0 +1,70 @@
---
title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
description: The Supplemental Terms for Copilot in Windows (Preview)
ms.prod: windows-client
ms.technology: itpro-privacy
ms.localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 09/20/2023
ms.topic: conceptual
hideEdit: true
layout: ContentPage
ROBOTS: NOINDEX, NOFOLLOW
feedback_system: None
---
# COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
Copilot in Windows is your AI companion that brings productivity to your fingertips. Leveraging Bing Chat or Bing Chat Enterprise, Copilot in Windows accelerates your tasks, reduces friction, saves you time and provides you with personalized answers, inspiration and task assistance. Your use of Copilot in Windows is subject to these supplemental terms of use (“Terms”). By using Copilot in Windows you agree to be bound by these Terms.
1. Preview
a. COPILOT IN WINDOWS IS A PREVIEW FEATURE AND IS PROVIDED “AS-IS,” “WITH ALL FAULTS,” AND “AS AVAILABLE".
b. Microsoft makes no guarantees or promises about how Copilot in Windows operates or that it will function as intended.
2. Eligibility and Use Requirements.
a. You must be signed into Windows with your Microsoft account to access Copilot in Windows.
b. If you're signed into Windows with your work or school account, your organization may have given you the ability to use Copilot in Windows. If you have access to Copilot in Windows but your organization hasn't enabled Bing Chat Enterprise, your use will be limited to Bing Chats current turn limit.
c. Along with these Terms, your use of Copilot in Windows is also governed by the Microsoft Services Agreement, which is incorporated by reference. You agree that Copilot in Windows constitutes a Service, as defined in the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). If there's any conflict between these Terms and the Microsoft Services Agreement, the conflicting provision in these Terms will control.
3. Bing Chat
a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chats terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247757).
b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprises terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247908).
4. Using Copilot in Windows
a. Copilot in Windows may allow you to submit text inputs and converse with an online computer-powered chatbot and in certain circumstances generate text content or image content. Your use of Copilot in Windows must comply with the Code of Conduct section of the Microsoft Services Agreement and the Bing Chat Code of Conduct or Bing Chat Enterprise Content Policy.
b. Copilot in Windows may allow you to change some of your Windows settings based on the text you submit into Copilot in Windows. Additionally, when you copy text in other apps while Copilot in Windows is open, it may automatically prompt you with suggestions to send the copied text to the chat and offer further suggestions of what you can do with that text.
c. You can consent to letting Copilot in Windows access your Microsoft Edge webpage content. This allows Copilot in Windows to provide relevant responses by accessing content from your active foreground Edge tab. This can be adjusted anytime in Copilot in Windows settings.
5. Data
a. All data processed by Copilot in Windows, including voice input data, will be processed according to the Microsoft Privacy Statement.
6. Ownership of Content
a. Microsoft doesn't claim ownership of any content you provide, post, input, or submit to, or receive from, Copilot in Windows, Bing Chat, or Bing Chat Enterprise (including feedback and suggestions). You'll need to make your own determination regarding the intellectual property rights you have in output content and its commercial usability, taking into account, among other things, your usage scenario(s) and the laws of the relevant jurisdiction. You warrant and represent that you or your organization owns or otherwise controls all of the rights to your content as described in these Terms including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the content.
7. Third-party claims
a. You're responsible for responding to any third-party claims regarding your use of Copilot in Windows in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to output content that was output during your use of Copilot in Windows).
8. Reverse engineering
a. You may not use Copilot in Windows to discover any underlying components of the models, algorithms, or systems, such as exfiltrating the weights of models.
9. Extracting data
a. You may not use web scraping, web harvesting, or web data extraction methods to extract data from Copilot in Windows or from any output content.
10. **IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT. IT AFFECTS HOW DISPUTES RELATING TO THIS AGREEMENT ARE RESOLVED.**

2
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/09/2018
ms.collection: highpri
ms.topic: how-to

2
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 10/12/2017
ms.topic: reference
---

2
windows/privacy/essential-services-and-connected-experiences.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/28/2021
ms.collection: highpri
ms.topic: reference

2
windows/privacy/index.yml
View File

@ -12,7 +12,7 @@ metadata:
ms.collection: highpri
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high

4
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 05/15/2019
ms.topic: conceptual
---
@ -156,6 +156,8 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\<Replace>\<CmdID>$CmdID$</CmdID>\<Item>\<Meta>\<Format>chr</Format>\<Type>text/plain</Type>\</Meta>\<Target> \<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>\</Target>\<Data>http://abcd-srv:8530</Data>\</Item>\</Replace>**
28. **Recommendations** </br>
a. [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP). To hide a list of recommended apps and files in the Recommended section on the Start menu.
### <a href="" id="bkmk-mdm-allowedtraffic"></a> Allowed traffic for Microsoft Intune / MDM configurations

14
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/07/2016
ms.collection: highpri
ms.topic: conceptual
@ -113,6 +113,7 @@ The following table lists management options for each setting, For Windows 10 (
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [32. Widgets](#bkmk-widgets) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [33. Recommendations](#33-recommendations) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 with Desktop Experience
@ -1923,6 +1924,16 @@ To turn off Widgets, you can use Group Policy or a custom setting in an MDM solu
For more information about AllowNewsAndInterests and the “Allow widgets” policy, [review this information](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests).
### 33. Recommendations
The Recommended section on the Start menu displays a list of recommended apps and files.
To turn off these recommendations, you can use any of the following methods:
- In Group Policy, set the "Remove Recommended from Start Menu" policy to Enabled under **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
- In an MDM solution, such as Microsoft Intune, you can use the [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP).
- In the registry, you can set **HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs** to 0.
- In the UI, you can turn off **Show recommendations for tips, shortcuts, new apps, and more** under **Settings** > **Personalization** > **Start**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
@ -1933,5 +1944,4 @@ For more information about AllowNewsAndInterests and the “Allow widgets” pol
|ocsp.digicert.com/*|
|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).

2
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-1909-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-20H2-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-21H1-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-21h2-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

26
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 05/20/2019
ms.topic: conceptual
---
@ -99,9 +99,9 @@ Windows deployment can be configured using several different methods that provid
If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
Alternatively, your administrators can also choose to use Windows Autopilot. Windows Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Windows Autopilot profile and policies.
You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows:
You can use the following articles to learn more about Windows Autopilot and how to use Windows Autopilot to deploy Windows:
- [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot)
- [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process)
@ -145,15 +145,12 @@ An administrator can disable a users ability to delete their devices diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
> [!IMPORTANT]
> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
**Applies to:**
- Windows 11 Enterprise, Professional, and Education editions
- Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer
The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, youre able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
@ -165,8 +162,6 @@ We recommend that IT administrators who have enabled the Windows diagnostic data
>[!Note]
>Tenant account closure will lead to the deletion of all data associated with that tenant.
Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Windows Update for Business reports, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations).
For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr).
## 3. The process for exercising data subject rights
@ -230,18 +225,17 @@ An administrator can configure privacy-related settings, such as choosing to onl
>[!Note]
>The Windows diagnostic data processor configuration is not available for Surface Hub.
### 5.3 Microsoft Managed Desktop
### 5.3 Windows Update for Business reports
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services.
[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organizations Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting.
### 5.4 Update Compliance
### 5.4 Windows Autopatch
[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting.
[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting.
### 5.5 Windows Update for Business reports
[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organizations Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting.
### 5.5 Windows updates reports (in Microsoft Intune)
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting.
## Additional Resources

2
windows/privacy/windows-11-endpoints-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/17/2020
ms.topic: reference
---

2
windows/privacy/windows-diagnostic-data-1703.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/31/2017
ms.topic: reference
---

2
windows/privacy/windows-diagnostic-data.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/31/2017
ms.collection: highpri
ms.topic: reference

2
windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/29/2018
ms.topic: reference
---

2
windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/29/2018
ms.topic: reference
---

Some files were not shown because too many files have changed in this diff Show More