diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8a8c061684..8f10c8e96a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "windows/device-security/windows-security-baselines.md", +"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319", +"redirect_document_id": false +}, +{ "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", "redirect_url": "/education/windows/switch-to-pro-education", "redirect_document_id": true diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index b658a09d5d..a24d9b1905 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -11,6 +11,12 @@ localizationpriority: medium # What's new in Windows 10, version 1703 for Microsoft Surface Hub? +Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update). + + + Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub: ## New settings diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index d82cbe9b63..a93c3a283c 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -1,7 +1,7 @@ --- title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. -keywords: education, Microsoft Education, Microsoft Education system, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Azure AD, Set up School PCs +keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -27,6 +27,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl - **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students - **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365 - **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow +- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff - **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop - **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom - **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features @@ -43,6 +44,7 @@ Go to the Mi In this walkthrough, we'll show you the basics on how to: - Acquire an Office 365 for Education tenant, if you don't already have one - Import school, student, teacher, and class data using School Data Sync (SDS) +- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate - Manage apps and settings deployment with Intune for Education - Acquire additional apps in Microsoft Store for Education - Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices @@ -52,7 +54,7 @@ This diagram shows a high-level view of what we cover in this walkthrough. The n **Figure 1** - Microsoft Education IT administrator workflow -![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png) +![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png) ## Prerequisites Complete these tasks before you start the walkthrough: @@ -116,7 +118,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png) 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant. -4. Skip ahead and follow the instructions in the walkthrough beginning with [3. Configure Microsoft Store for Education](#3-configure-microsoft-store-for-education). +4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education). ## 1. Set up a new Office 365 for Education tenant @@ -131,7 +133,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol ![Create an Office 365 account](images/o365_createaccount.png) -3. Save your sign-in info so you can use it to sign into https://portal.office.com (the sign-in page). Click **You're ready to go...** +3. Save your sign-in info so you can use it to sign in to https://portal.office.com (the sign-in page). Click **You're ready to go...** 4. In the **Verify eligibility for Microsoft Office 365 for Education** screen: 1. Add your domain name and follow the steps to confirm ownership of the domain. 2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain. @@ -140,7 +142,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant. -As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [6.3 Complete Office 365 for Education setup](#63-complete-office-365-education-setup) for info. +As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info. ## 2. Use School Data Sync to import student data @@ -240,7 +242,7 @@ The Classroom application is retired, but you will need to assign the Classroom 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created. 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default. 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files. - 6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license. + 6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile. 7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education. 8. Click **Next**. @@ -295,35 +297,68 @@ The Classroom application is retired, but you will need to assign the Classroom That's it for importing sample school data using SDS. -## 3. Configure Microsoft Store for Education +## 3. Enable Microsoft Teams for your school +Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. + +To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. + +**Enable Microsoft Teams for your school** + +1. Sign in to Office 365 with your work or school account. +2. Click **Admin** to go to the Office 365 admin center. +3. Go to **Settings > Services & add-ins**. +4. On the **Services & add-ins** page, select **Microsoft Teams**. + + **Figure 14** - Select Microsoft Teams from the list of services & add-ins + + ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png) + +5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. + + **Figure 15** - Select the license that you want to configure + + ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png) + +6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization. + + **Figure 16** - Turn on Microsoft Teams for your organization + + ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png) + +7. Click **Save**. + +You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the Meet Microsoft Teams page. + +## 4. Configure Microsoft Store for Education You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education. **Associate your Microsoft Store account with Intune for Education** -1. Sign into Microsoft Store for Education. + +1. Sign in to Microsoft Store for Education. 2. Accept the Microsoft Store for Business and Education Services Agreement. This will take you to the Microsoft Store for Education portal. - **Figure 14** - Microsoft Store for Education portal + **Figure 17** - Microsoft Store for Education portal ![Microsoft Store for Education portal](images/msfe_store_portal.png) 3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page. 4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**. - **Figure 15** - Select management tools from the list of Store settings options + **Figure 18** - Select management tools from the list of Store settings options ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png) 4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education. - **Figure 16** - Activate Intune for Education as the management tool + **Figure 19** - Activate Intune for Education as the management tool ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next. -## 4. Use Intune for Education to manage groups, apps, and settings +## 5. Use Intune for Education to manage groups, apps, and settings Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation. ### Example - Set up Intune for Education, buy apps from the Store, and install the apps @@ -351,20 +386,20 @@ Intune for Education provides an **Express configuration** option so you can get 1. Log into the Intune for Education console. You will see the Intune for Education dashboard once you're logged in. - **Figure 17** - Intune for Education dashboard + **Figure 20** - Intune for Education dashboard ![Intune for Education dashboard](images/i4e_portal.png) 2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left. 3. In the **Welcome to Intune for Education** screen, click **Get started**. - **Figure 18** - Click Get started to set up Intune for Education + **Figure 21** - Click Get started to set up Intune for Education ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png) 4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**. - **Figure 19** - SDS is configured + **Figure 22** - SDS is configured ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png) @@ -377,7 +412,7 @@ Intune for Education provides an **Express configuration** option so you can get > [!TIP] > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it! > - > **Figure 20** - Click on the buttons to go back to that step + > **Figure 23** - Click on the buttons to go back to that step > > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png) @@ -390,7 +425,7 @@ Intune for Education provides an **Express configuration** option so you can get > [!TIP] > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**. - **Figure 21** - Choose the apps that you want to install for the group + **Figure 24** - Choose the apps that you want to install for the group ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png) @@ -400,7 +435,7 @@ Intune for Education provides an **Express configuration** option so you can get 8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group. - **Figure 22** - Expand the settings group to get more details + **Figure 25** - Expand the settings group to get more details ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png) @@ -408,20 +443,20 @@ Intune for Education provides an **Express configuration** option so you can get - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**. - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**. - **Figure 23** - Set some additional settings + **Figure 26** - Set some additional settings ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png) 10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply. - **Figure 24** - Review the group, apps, and settings you configured + **Figure 27** - Review the group, apps, and settings you configured ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png) 11. Click **Save** to end express configuration. 12. You will see the **You're done!** screen which lets you choose one of two options. - **Figure 25** - All done with Intune for Education express configuration + **Figure 28** - All done with Intune for Education express configuration ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png) @@ -438,13 +473,13 @@ Intune for Education provides an **Express configuration** option so you can get 1. In the Intune for Education console, click **Apps** from the menu on the left. - **Figure 26** - Click on **Apps** to see the list of apps for your tenant + **Figure 29** - Click on **Apps** to see the list of apps for your tenant ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png) 2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in. - **Figure 27** - Select the option to add a new Store app + **Figure 30** - Select the option to add a new Store app ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png) @@ -463,7 +498,7 @@ Intune for Education provides an **Express configuration** option so you can get For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant. - **Figure 28** - Apps inventory in Microsoft Store for Education + **Figure 31** - Apps inventory in Microsoft Store for Education ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png) @@ -478,40 +513,40 @@ Now that you've bought the apps, use Intune for Education to specify the group t 1. In the Intune for Education console, click the **Groups** option from the menu on the left. - **Figure 29** - Groups page in Intune for Education + **Figure 32** - Groups page in Intune for Education ![Groups page in Intune for Education](images/i4e_groupspage.png) 2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. - **Figure 30** - List of all users in the tenant + **Figure 33** - List of all users in the tenant ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png) 3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps. - **Figure 31** - Edit apps to assign them to users + **Figure 34** - Edit apps to assign them to users ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png) 4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. - **Figure 32** - Select the apps to deploy to the group + **Figure 35** - Select the apps to deploy to the group ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png) 5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group. 6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. - **Figure 33** - Updated list of assigned apps + **Figure 36** - Updated list of assigned apps ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png) You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud. -## 5. Set up Windows 10 devices +## 6. Set up Windows 10 devices -### 5.1 Set up devices using Set up School PCs or Windows OOBE +### 6.1 Set up devices using Set up School PCs or Windows OOBE We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options: - **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices. - **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device. @@ -551,13 +586,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm 1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection. 2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen. - **Figure 34** - Let's start with region + **Figure 37** - Let's start with region ![Let's start with region](images/win10_letsstartwithregion.png) 3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**. - **Figure 35** - Select setup for an organization + **Figure 38** - Select setup for an organization ![Select setup for an organization](images/win10_setupforanorg.png) @@ -566,7 +601,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm 6. Click **Accept** to go through the rest of device setup. -### 5.2 Verify correct device setup +### 6.2 Verify correct device setup Verify that the device is set up correctly and boots without any issues. **Verify that the device was set up correctly** @@ -576,11 +611,11 @@ Verify that the device is set up correctly and boots without any issues. > [!NOTE] > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user. - **Figure 36** - Sample list of apps for a user + **Figure 39** - Sample list of apps for a user ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png) -### 5.3 Verify the device is Azure AD joined +### 6.3 Verify the device is Azure AD joined Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education. **Verify if the device is joined to Azure AD** @@ -588,7 +623,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s 2. Select **Groups** and select **All Devices**. 3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list. - **Figure 37** - List of all managed devices + **Figure 40** - List of all managed devices ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png) @@ -596,23 +631,23 @@ Let's now verify that the device is joined to your organization's Azure AD and s 5. Select **Accounts > Access work or school**. 6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD. - **Figure 38** - Confirm that the Windows 10 device is joined to Azure AD + **Figure 41** - Confirm that the Windows 10 device is joined to Azure AD ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png) **That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks. -## 6. Finish setup and other tasks +## 7. Finish setup and other tasks -### 6.1 Update group settings in Intune for Education +### 7.1 Update group settings in Intune for Education If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps. 1. Log in to the Intune for Education console. 2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page. 3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on. - **Figure 39** - See the list of available settings in Intune for Education + **Figure 42** - See the list of available settings in Intune for Education ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png) @@ -622,7 +657,7 @@ If you need to make changes or updates to any of the apps or settings for the gr 5. Click **Save** or **Discard changes**. -### 6.2 Configure Azure settings +### 7.2 Configure Azure settings After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use. #### Enable many devices to be added by a single person @@ -634,7 +669,7 @@ Follow the steps in this section to enable a single person to add many devices t 2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com. 3. Select **Azure Active Directory > Users and groups > Device settings**. - **Figure 40** - Device settings in the new Azure portal + **Figure 43** - Device settings in the new Azure portal ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png) @@ -651,22 +686,22 @@ Follow the steps in this section to ensure that settings for the each user follo 3. Select **Azure Active Directory > Users and groups > Device settings**. 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**. - **Figure 41** - Enable settings to roam with users + **Figure 44** - Enable settings to roam with users ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png) 5. Click **Save** to update device settings. -### 6.3 Complete Office 365 for Education setup +### 7.3 Complete Office 365 for Education setup Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the Office 365 admin documentation. -### 6.4 Add more users +### 7.4 Add more users After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education. See Add users to Office 365 to learn more. Once you're done adding new users, go to the Intune for Education console and verify that the same users were added to the Intune for Education groups as well. -### 6.5 Connect other devices to your cloud infrastructure -Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [5. Set up Windows 10 devices](#5-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected. +### 7.5 Connect other devices to your cloud infrastructure +Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected. > [!NOTE] > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device. @@ -679,7 +714,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information. - **Figure 42** - Device is now managed by Intune for Education + **Figure 45** - Device is now managed by Intune for Education ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png) @@ -689,11 +724,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can 5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources. - **Figure 43** - Device is connected to organization's MDM + **Figure 46** - Device is connected to organization's MDM ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png) -6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [5.3 Verify the device is Azure AD joined](#53-verify-the-device-is-azure-ad-joined). +6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. diff --git a/education/get-started/images/microsoft_education_it_getstarted_workflow.png b/education/get-started/images/microsoft_education_it_getstarted_workflow.png new file mode 100644 index 0000000000..ebcaa2add9 Binary files /dev/null and b/education/get-started/images/microsoft_education_it_getstarted_workflow.png differ diff --git a/education/get-started/images/o365_msteams_settings.PNG b/education/get-started/images/o365_msteams_settings.PNG new file mode 100644 index 0000000000..0e3dab4886 Binary files /dev/null and b/education/get-started/images/o365_msteams_settings.PNG differ diff --git a/education/get-started/images/o365_msteams_turnon.PNG b/education/get-started/images/o365_msteams_turnon.PNG new file mode 100644 index 0000000000..95588d5031 Binary files /dev/null and b/education/get-started/images/o365_msteams_turnon.PNG differ diff --git a/education/get-started/images/o365_settings_services_msteams.PNG b/education/get-started/images/o365_settings_services_msteams.PNG new file mode 100644 index 0000000000..ca4dee07ac Binary files /dev/null and b/education/get-started/images/o365_settings_services_msteams.PNG differ diff --git a/education/index.md b/education/index.md index 0bb10155b3..3f8576dfca 100644 --- a/education/index.md +++ b/education/index.md @@ -207,6 +207,25 @@ author: CelesteDG +
  • + +
    +
    +
    +
    +
    + Set up School PCs +
    +
    +
    +

    Set up School PCs

    +

    Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.

    +
    +
    +
    +
    +     +
    • @@ -331,6 +350,25 @@ author: CelesteDG +
  • + +
    +
    +
    +
    +
    + Set up School PCs +
    +
    +
    +

    Set up School PCs

    +

    Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.

    +
    +
    +
    +
    +     +
    • diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 00af76258b..e3cec30bb9 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -1,6 +1,7 @@ --- title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education +keywords: Windows 10 education documentation, change history ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 27bf9b1c63..a192cd0edf 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -2,7 +2,7 @@ title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device +keywords: migrate, automate, device, Chromebook migration ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 897f7df8c4..03caa021e6 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -1,7 +1,7 @@ --- title: Windows 10 configuration recommendations for education customers description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. -keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"] +keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high @@ -64,7 +64,7 @@ You can configure Windows through provisioning or management tools including ind You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready: - [Set up School PCs](use-set-up-school-pcs-app.md) -- Intune for Education (coming soon) +- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings) ## AllowCortana **AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana). @@ -145,7 +145,7 @@ Provide an ad-free experience that is a safer, more private search option for K ### Configurations #### IP registration for entire school network using Microsoft Edge -Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email. +Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email. **District information** - **District or School Name:** diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 4037a7093e..1669188d1a 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -1,7 +1,7 @@ --- title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. -keywords: configure, tools, device, school +keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: edu diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index e81b0dbbd7..8c0efa4efe 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -1,7 +1,7 @@ --- title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. -keywords: configure, tools, device, school +keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: edu diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index ceecbfb175..e10a79af57 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -1,7 +1,7 @@ --- title: Deployment recommendations for school IT administrators description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. -keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"] +keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 77b128ce18..f9dbde2df7 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -1,7 +1,7 @@ --- title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. -keywords: ["school", "store for business"] +keywords: school, Microsoft Store for Education, Microsoft education store ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 1e81d3437e..595d935f57 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -1,7 +1,7 @@ --- title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. -keywords: school, minecraft +keywords: school, Minecraft, education edition ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index a07b93cce8..2d28eccfc9 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -1,7 +1,7 @@ --- title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. -keywords: ["school"] +keywords: Minecraft, Education Edition, IT admins, acquire ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 9a8c59b2c6..81edf2b7a9 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -1,7 +1,7 @@ --- title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -keywords: school +keywords: school, student PC setup, Windows Configuration Designer ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 401f60f084..bcb92096ac 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -1,7 +1,7 @@ --- title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -keywords: ["shared cart", "shared PC", "school"] +keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 5aa6b3ed7b..2e60824894 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,7 +1,7 @@ --- title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. -keywords: take a test, test taking, school +keywords: take a test, test taking, school, policies ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 18d4fc79ab..19b0f65e62 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -1,7 +1,7 @@ --- title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. -keywords: ["take a test", "test taking", "school"] +keywords: take a test, test taking, school, set up on multiple PCs ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index c7b5339f40..19053b9c55 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -1,7 +1,7 @@ --- title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. -keywords: take a test, test taking, school +keywords: take a test, test taking, school, set up on single PC ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 361dbff702..c526121def 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. -keywords: take a test, test taking, school +keywords: take a test, test taking, school, how to, use Take a Test ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 36de86549d..24cf0d3cb4 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -1,7 +1,7 @@ --- title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. -keywords: ["school", "minecraft"] +keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 7338cfbdc0..bba42e5d55 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -1,7 +1,7 @@ --- title: Use Set up School PCs app description: Learn how the Set up School PCs app works and how to use it. -keywords: shared cart, shared PC, school, set up school pcs +keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index ead7fdaf03..45051db6b8 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -198,6 +198,8 @@ #### [SUPL DDF file](supl-ddf-file.md) ### [SurfaceHub CSP](surfacehub-csp.md) #### [SurfaceHub DDF file](surfacehub-ddf-file.md) +### [TPMPolicy CSP](tpmpolicy-csp.md) +#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md) ### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) #### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md) ### [Update CSP](update-csp.md) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 7c7746d87a..a6d30377d2 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -11,6 +11,9 @@ author: nickbrower # Configuration service provider reference +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). @@ -1164,10 +1167,10 @@ The following tables show the configuration service providers support in Windows cross mark - check mark - check mark - check mark - check mark + check mark3 + check mark3 + check mark3 + check mark3 cross mark cross mark @@ -2044,6 +2047,34 @@ The following tables show the configuration service providers support in Windows + +[TPMPolicy CSP](tpmpolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck markcheck mark
    + + + + [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) @@ -2358,7 +2389,8 @@ The following tables show the configuration service providers support in Windows  Footnotes: - 1 - Added in Windows 10, version 1607 -- 2 - Added in Windows 10, version 1703 +- 2 - Added in Windows 10, version 1703 +- 3 - Added in the next major update to Windows 10 > [!Note] > You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 34913158a8..e621f09ad8 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -13,10 +13,12 @@ author: nickbrower > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. Firewall configuration commands must be wrapped in an Atomic block in SyncML. +For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx). + The following diagram shows the Firewall configuration service provider in tree format. ![firewall csp](images/provisioning-csp-firewall.png) diff --git a/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png new file mode 100644 index 0000000000..8950a1614d Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 9992411f6a..6c95a92a67 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -14,6 +14,8 @@ author: nickbrower # What's new in MDM enrollment and management +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. @@ -640,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • SmartScreen/EnableAppInstallControl
  • SmartScreen/EnableSmartScreenInShell
  • SmartScreen/PreventOverrideForFilesInShell
    • +
  • Start/AllowPinnedFolderDocuments
    • +
  • Start/AllowPinnedFolderDownloads
    • +
  • Start/AllowPinnedFolderFileExplorer
    • +
  • Start/AllowPinnedFolderHomeGroup
    • +
  • Start/AllowPinnedFolderMusic
    • +
  • Start/AllowPinnedFolderNetwork
    • +
  • Start/AllowPinnedFolderPersonalFolder
    • +
  • Start/AllowPinnedFolderPictures
    • +
  • Start/AllowPinnedFolderSettings
    • +
  • Start/AllowPinnedFolderVideos
  • Start/HideAppList
  • Start/HideChangeAccountSettings
  • Start/HideFrequentlyUsedApps
    • @@ -661,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • TextInput/AllowKeyboardTextSuggestions
  • TimeLanguageSettings/AllowSet24HourClock
  • Update/ActiveHoursMaxRange
    • +
  • Update/AutoRestartDeadlinePeriodInDays
  • Update/AutoRestartNotificationSchedule
  • Update/AutoRestartNotificationStyle
  • Update/AutoRestartRequiredNotificationDismissal
    • @@ -892,6 +905,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Policy CSP](policy-configuration-service-provider.md)
    • + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. +   @@ -1180,7 +1197,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) Added a list of registry locations that ingested policies are allowed to write to. - + [Firewall CSP](firewall-csp.md) Added the following nodes: Also Added [Firewall DDF file](firewall-ddf-file.md). + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. + + +[Policy CSP](policy-configuration-service-provider.md) + +

    Added the following new policies for Windows 10, version 1703:

    + + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5b81c0026b..ff951b9536 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1973,6 +1973,29 @@ ADMX Info: **Browser/AllowAddressBarDropdown** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  @@ -2358,6 +2381,29 @@ ADMX Info: **Browser/AllowMicrosoftCompatibilityList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". @@ -2466,6 +2512,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis **Browser/AllowSearchEngineCustomization** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.     @@ -2566,6 +2635,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis **Browser/ClearBrowsingDataOnExit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. @@ -2587,6 +2679,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis **Browser/ConfigureAdditionalSearchEngines** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.    @@ -2610,6 +2725,29 @@ Employees cannot remove these search engines, but they can set any one as the de **Browser/DisableLockdownOfStartPages** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.     @@ -2819,6 +2957,29 @@ Employees cannot remove these search engines, but they can set any one as the de **Browser/PreventFirstRunPage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. @@ -2834,6 +2995,29 @@ Employees cannot remove these search engines, but they can set any one as the de **Browser/PreventLiveTileDataCollection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. @@ -3005,6 +3189,29 @@ Employees cannot remove these search engines, but they can set any one as the de **Browser/SetDefaultSearchEngine** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. @@ -7113,6 +7320,29 @@ ADMX Info: **Experience/AllowTailoredExperiencesWithDiagnosticData** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -7348,6 +7578,29 @@ ADMX Info: **Experience/AllowWindowsSpotlightOnActionCenter** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -7366,6 +7619,29 @@ ADMX Info: **Experience/AllowWindowsSpotlightWindowsWelcomeExperience** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -11226,6 +11502,29 @@ ADMX Info: **Messaging/AllowMMS** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcross markcheck mark2check mark2
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -11278,6 +11577,29 @@ ADMX Info: **Messaging/AllowRCS** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcross markcheck mark2check mark2
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -11587,6 +11909,13 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result. + +

    For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.

    No reboot or service restart is required for this policy to take effect. @@ -15951,6 +16280,376 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. + + + +**Start/AllowPinnedFolderDocuments** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderDownloads** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderFileExplorer** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderHomeGroup** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderMusic** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderNetwork** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPersonalFolder** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPictures** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderSettings** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderVideos** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + + +

    Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + @@ -15999,6 +16698,29 @@ ADMX Info: **Start/HideAppList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16024,6 +16746,29 @@ ADMX Info: **Start/HideChangeAccountSettings** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. @@ -16042,6 +16787,29 @@ ADMX Info: **Start/HideFrequentlyUsedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16067,6 +16835,29 @@ ADMX Info: **Start/HideHibernate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. @@ -16088,6 +16879,29 @@ ADMX Info: **Start/HideLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. @@ -16106,6 +16920,29 @@ ADMX Info: **Start/HidePowerButton** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16127,6 +16964,29 @@ ADMX Info: **Start/HideRecentJumplists** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16155,6 +17015,29 @@ ADMX Info: **Start/HideRecentlyAddedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16180,6 +17063,29 @@ ADMX Info: **Start/HideRestart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. @@ -16198,6 +17104,29 @@ ADMX Info: **Start/HideShutDown** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. @@ -16216,6 +17145,29 @@ ADMX Info: **Start/HideSignOut** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. @@ -16234,6 +17186,29 @@ ADMX Info: **Start/HideSleep** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. @@ -16252,6 +17227,29 @@ ADMX Info: **Start/HideSwitchAccount** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. @@ -16270,6 +17268,29 @@ ADMX Info: **Start/HideUserTile** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16292,6 +17313,29 @@ ADMX Info: **Start/ImportEdgeAssets** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16315,6 +17359,29 @@ ADMX Info: **Start/NoPinningToTaskbar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. @@ -17420,6 +18487,29 @@ ADMX Info: **TimeLanguageSettings/AllowSet24HourClock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcross markcheck mark2check mark2
    + +

    Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. @@ -17475,6 +18565,29 @@ ADMX Info: **Update/ActiveHoursMaxRange** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -17528,6 +18641,41 @@ ADMX Info:

    The default value is 8 (8 AM). + + + +**Update/AutoRestartDeadlinePeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + + + +

    Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. + +

    Supported values are 2-30 days. + +

    The default value is 7 days. + @@ -17716,6 +18864,29 @@ ADMX Info: **Update/AutoRestartNotificationSchedule** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -17732,6 +18903,29 @@ ADMX Info: **Update/AutoRestartRequiredNotificationDismissal** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18041,6 +19235,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartDeadline** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18057,6 +19274,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartSnoozeSchedule** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18073,6 +19313,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartTransitionSchedule** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18545,6 +19808,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleImminentRestartWarning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18561,6 +19847,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleRestartWarning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -18670,6 +19979,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/SetAutoRestartNotificationDisable** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -19410,81 +20742,251 @@ Footnote: -## IoT Core Support +## Policies Supported by IoT Core -[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -[Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -[Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -[Browser/AllowAutofill](#browser-allowautofill) -[Browser/AllowBrowser](#browser-allowbrowser) -[Browser/AllowCookies](#browser-allowcookies) -[Browser/AllowDoNotTrack](#browser-allowdonottrack) -[Browser/AllowInPrivate](#browser-allowinprivate) -[Browser/AllowPasswordManager](#browser-allowpasswordmanager) -[Browser/AllowPopups](#browser-allowpopups) -[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) -[Camera/AllowCamera](#camera-allowcamera) -[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -[Connectivity/AllowNFC](#connectivity-allownfc) -[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) -[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -[Security/RequireDeviceEncryption](#security-requiredeviceencryption) -[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -[System/AllowEmbeddedMode](#system-allowembeddedmode) -[System/AllowStorageCard](#system-allowstoragecard) -[System/TelemetryProxy](#system-telemetryproxy) -[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -[Update/AllowUpdateService](#update-allowupdateservice) -[Update/PauseDeferrals](#update-pausedeferrals) -[Update/RequireDeferUpgrade](#update-requiredeferupgrade) -[Update/RequireUpdateApproval](#update-requireupdateapproval) -[Update/ScheduledInstallDay](#update-scheduledinstallday) -[Update/ScheduledInstallTime](#update-scheduledinstalltime) -[Update/UpdateServiceUrl](#update-updateserviceurl) -[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) -[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -[Wifi/AllowWiFi](#wifi-allowwifi) -[Wifi/WLANScanMode](#wifi-wlanscanmode) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +- [Browser/AllowAutofill](#browser-allowautofill) +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowInPrivate](#browser-allowinprivate) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) +- [Camera/AllowCamera](#camera-allowcamera) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowNFC](#connectivity-allownfc) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [System/AllowEmbeddedMode](#system-allowembeddedmode) +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/PauseDeferrals](#update-pausedeferrals) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/ScheduledInstallDay](#update-scheduledinstallday) +- [Update/ScheduledInstallTime](#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) +- [Wifi/WLANScanMode](#wifi-wlanscanmode) + +## Policies supported by Windows Holographic for Business + +- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [Experience/AllowCortana](#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [System/AllowFontProviders](#system-allowfontproviders) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + + + +## Policies supported by Microsoft Surface Hub + +- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) +- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) +- [Browser/HomePages](#browser-homepages) +- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) +- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) +- [Camera/AllowCamera](#camera-allowcamera) +- [ConfigOperations/ADMXInstall](#configoperations-admxinstall) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) +- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) +- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) +- [Defender/AllowIOAVProtection](#defender-allowioavprotection) +- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](#defender-excludedextensions) +- [Defender/ExcludedPaths](#defender-excludedpaths) +- [Defender/ExcludedProcesses](#defender-excludedprocesses) +- [Defender/PUAProtection](#defender-puaprotection) +- [Defender/RealTimeScanDirection](#defender-realtimescandirection) +- [Defender/ScanParameter](#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](#defender-schedulescanday) +- [Defender/ScheduleScanTime](#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [TextInput/AllowIMELogging](#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) +- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock) +- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry) +- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) +- [Update/BranchReadinessLevel](#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) +- [Update/DetectionFrequency](#update-detectionfrequency) +- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](#update-pausequalityupdates) +- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) +- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) + + -## Can be set using Exchange Active Sync (EAS) +## Policies that can be set using Exchange Active Sync (EAS) -[Browser/AllowBrowser](#browser-allowbrowser) -[Camera/AllowCamera](#camera-allowcamera) -[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -[Security/RequireDeviceEncryption](#security-requiredeviceencryption) -[System/AllowStorageCard](#system-allowstoragecard) -[System/TelemetryProxy](#system-telemetryproxy) -[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -[Wifi/AllowWiFi](#wifi-allowwifi) +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Camera/AllowCamera](#camera-allowcamera) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) - - ## Examples Set the minimum password length to 4 characters. diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md new file mode 100644 index 0000000000..239e679672 --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -0,0 +1,55 @@ +--- +title: TPMPolicy CSP +description: TPMPolicy CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. + +The TPMPolicy CSP was added in Windows 10, version 1703. + +The following diagram shows the TPMPolicy configuration service provider in tree format. + +![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png) + +**./Device/Vendor/MSFT/TPMPolicy** +

    Defines the root node.

    + +**IsActiveZeroExhaust** +

    Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:

    + + + +Here is an example: + +``` syntax +                +                    101 +                    +                        +                            +                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust +                            +                        +                         + bool +               text/plain +        +        true +                     +                 +``` \ No newline at end of file diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md new file mode 100644 index 0000000000..35a90ff87b --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -0,0 +1,71 @@ +--- +title: TPMPolicy DDF file +description: TPMPolicy DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703. + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + TPMPolicy + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/TPMPolicy + + + + IsActiveZeroExhaust + + + + + + False + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md deleted file mode 100644 index f62ee298ba..0000000000 --- a/windows/device-security/windows-security-baselines.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Windows security baselines (Windows 10) -description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft ---- - -# Windows security baselines - -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Windows Server 2012 R2 - -Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines. - -We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs. - - > [!NOTE] - > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353). - -## What are security baselines? - -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and -customers. - -## Why are security baselines needed? - -Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers. - -For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. - -In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. - -To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups. - -## How can you use security baselines? - - You can use security baselines to: - - - Ensure that user and device configuration settings are compliant with the baseline. - - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. - -## Where can I get the security baselines? - - Here's a list of security baselines that are currently available. - - > [!NOTE] - > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog. - -### Windows 10 security baselines - - - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663) - - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381) - - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380) - -### Windows Server security baselines - - - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663) - - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382) - -## How can I monitor security baseline deployments? - -Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm). - -You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization. - \ No newline at end of file